Griefing Attack via updateFor Function
Summary
A vulnerability has been identified in the updateFor function, which can be exploited by an attacker to grief users with smaller deposits. The function, being public, allows anyone to call it for any address, potentially causing rounding errors that can lead to reduced or zero rewards for users with low deposits.
Vulnerability Details
The updateFor function updates the rewards for a given recipient. Within the function, the reward share for the recipient is calculated using the formula:
uint256 _share = _supplied * _delta / 1e18;
If an attacker frequently calls the updateFor function for an address with a small deposit (_supplied), especially when the _delta (change in index) is small, the result of the multiplication can be much smaller than 1e18. Given Solidity's integer division, this can lead to the _share rounding down to zero. This means the recipient would not receive their rightful rewards, effectively being "grieved" by the attacker.
Impact
Users with smaller deposits might receive fewer rewards or none at all due to the rounding down caused by frequent updates.
Tools Used
Manual Review
Recommendations
Introduce a minimum threshold for _delta to ensure that the reward calculation is meaningful and not prone to rounding errors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.