Front-runnig the first deposit on stake yealds the whole WETH amount
Summary
By inserting a transaction between the deployment of staking and depositing of the first amount of WETH you can steal this whole amount.
Vulnerability Details
Lets say Beedle has been active for some time and the owners have collected some fees. They decide to deploy staking and but 1 WETH inside of it as the initial deposit. After sending their TX for deployment and before the TX for sending WETH, an attacker can would be able to insert his own TX
in the middle of them to. He would just need to deposit any amount of TNK (it could be as little as 1 wei). adn when the WETH is send he can call claim and claim 100% of it.
Example
Owners deploy the contract and afterwards send 1 WETH to it, as staking incentives
Attacker sees that so he inserts his deposit TX of 1 wei between these 2 and boost the 3 TX with Flashbots (for he to be sure they will execute in this order)
Now after the deposit update and updateFor. Where on update the index will be 0, since the 2 balances will be equal.
Because index is 0 updateFor will set the attacker index as 0 also.
After 1 WETH is send the attacker just calls claim where update will trigger and the global index will become 1e36.
From there on his share would increase to 1e18, and claim will send it.
Impact
Attacker would be able to steal 100% of the initial deposit with amount of TKN as low as 1 wei.
Tools Used
Manual review and Echidna 2.0
Recommendations
You can inprove on the math fro calculating and updating the rewards, or after deployment make sure there are a lot of staked users and then send the WETH.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.