Sorra staking contract was hacked because of wrong reward calculation. When user withdraws his tokens, they get reward.
“userRewardsDistributed” value is increased when user gets reward, but this value is not considered when calculating pending reward, this means users can get reward several times.
Hacker just called “withdraw(1 wei)” multiple times, gained almost $43k.
Leave a Reply