WETH staking rewards accumulated before the first staker deposits remain unutilized and stuck in the `Staking` contract
Summary
Fees accrued from the Lending contract and sent to the Staking contract to be used as staking rewards are not claimable if no staker has deposited tokens yet.
Vulnerability Details
The Lending contract continuously accrues fees and sends fees via the Fees contract to the Staking contract, WETH rewards potentially accumulate in the Staking contract even before stakers deposit tokens (i.e., totalSupply == 0).
As soon as the first user stakes TKN tokens with the deposit function, the internal call of the updateFor function leads to the index being updated (reflecting the previously topped-up WETH tokens). This newly updated and non-zero index is then used to initialize the user's supplyIndex in line 92. Similarly for subsequent stakers.
Consequently, the claimable rewards are zero for those stakers, and the initial WETH token rewards remain unutilized and stuck in the Staking contract.
Impact
Topped-up WETH rewards can not be claimed as rewards and remain unutilized and stuck in the Staking contract.
Tools Used
Manual Review
Recommendations
Consider accounting for the total staked amount of TKN tokens in a separate storage variable after the TKN token transfer in the deposit function instead of retrieving the current balance of TKN tokens via the balanceOf function in line 62. This ensures that only properly staked TKN tokens are accounted for in the index calculation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.