Inaccurate Reward Calculation Vulnerability in Staking Contract
Summary
The smart contract Staking contains a vulnerability related to the order of operations during the deposit process. The function deposit allows users to stake tokens, but it fails to update the user's supply index before executing the transferFrom operation to deposit tokens. This may lead to inaccurate calculation of the user's claimable rewards, potentially resulting in discrepancies in reward payouts.
Vulnerability Details
The issue arises in the deposit function, where the contract should update the user's supply index before executing transferFrom to deposit tokens. However, the function currently executes transferFrom before updating the user's supply index. This can lead to incorrect claimable rewards calculations, as the user's supply index is not up-to-date at the time of deposit.
Impact
The vulnerability can have the following impact on the protocol:
Inaccurate Reward Calculation: Users may receive inaccurate claimable rewards due to the outdated supply index at the time of deposit. This discrepancy can lead to inconsistent or incorrect reward payouts for staking participants.
User Dissatisfaction: Inaccurate reward calculations can lead to user dissatisfaction, potentially eroding trust in the staking mechanism and the overall protocol.
Tools Used
Manual review
Recommendations
In the deposit function, update the user's supply index before executing the transferFrom operation to deposit tokens. By doing this, the contract ensures that the user's claimable rewards are based on the most recent supply index.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.