Reward distribution can be called multiple times for the same campaign

[hats-bug-reporter]

Github username: @skypper
Twitter username: tudoratu
Submission hash (on-chain): 0x0c4f668567bc6045f828f9c0ea56129743e2a4d14a6db4f85399a45bd0abcd62
Severity: medium

Description:
Description
The method distributeRewards can be called again for the same campaign to correct a mistake.
If in the meanwhile a claim could have been processed and it is irreversible. and could drain the funds which by right should be assigned to another address.

The likelyhood of this issue is very low, however the severity is medium.
Attack Scenario\

1. The updater account performs distributeRewardsand assigns 1 WETH to Alice and 1 WETH to Bob.
2. Bob claims the 1 WETH.
3. The updater noticed the assignment should be 2 WETH to Alice and no WETH to Bob and performs another distributeRewards.

Now it is too late as Bob has already claimed 1 WETH and Alice can only claim 1 WETH (instead of 2).

[luzzif]

The backend is coded so that claims are ever-increasing. A claim can never be reduced in quantity, only increased, and the smart contract keeps track of how much reward has already been claimed so double claim risks are neutralized.