Topped-up staking rewards can be claimed immediately and risk-free
Summary
The Staking contract does not enforce a minimum staking duration for claiming rewards, resulting in risk-free claiming of rewards.
Vulnerability Details
Staking rewards are distributed pro-rata to stakers based on their staked amount. The rewards, WETH tokens, are topped up either automatically due to the fee-sharing mechanism (by using the Fees contract as the fee recipient) or manually. Those newly topped-up rewards can be claimed by stakers who have an active stake at the time of the top-up.
However, this mechanism is vulnerable to frontrunning as anyone can front-run the top-up transaction, stake funds, wait for the top-up transaction, claim rewards, and unstake, all within the same block (e.g., by using Flashbots). This allows for risk-free claiming of rewards as the staker could use cheaply borrowed staking token funds for the duration of the current block and not be exposed to the token price volatility or smart contract (Staking contract) risk.
Impact
Risk-free staking rewards claiming.
Tools Used
Manual Review
Recommendations
Consider incorporating the staked time period in the rewards calculation or, alternatively, enforce a reasonable minimum staking duration.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.