Author: nick

I think root cause is improper check of calldata in “uniswapV2Call” function. It needs to check first parameter-sender address, but it didn’t. Hacker could call this callback function by calling “swap” function.

Anyone who holds SPythia token can call “claimRewards” function without any locking period. Hacker could call “claimRewards” function several times by moving tokens from one account to another account. Reward amout should be calculated using locked period.