There is a step wise jump vulnerability in onTokenTransfer()
.
In this protocol keeper is responsible to distribute reward. It calls updateRewards()
periodically under normal circumstances. A user can stake very low amount [ 0.0001 SDL ] for a certain amount of time without locking it and get huge amount of reward. For 0.0001 SDL he can get
1960.7843041138024 as reward. So an attacker can see a transaction where someone staked big amount of SDL token and just after that he can stake that minimum amount of token and get that reward.
An user does not need to lock their amount to get huge reward, he just need to wait until staked amount of pool increased to a good amount, then he just need to stake a little amount of SDL token and for that he can get huge reward.
Run this test:
Here in this POC we can see the first user stacked 1000 days before the attacker, but still there is very minimum difference between the rewards of them. After stacking more than 1000 days the first user's reward is 2039.215686082276 where the reward of the attacker in a fraction of time is 1960.7843041138024. After that attacker simply unstake the amount.
Manual analysis.
Should add such condition where any user, whether he locked or not their staked amount, can't withdraw rewards for a limited time. Or reward should distributed based on their staked amount and time.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.