LinearBoostController : Lack of min lock duration.
Summary
there is no min lock duration. This would lead to situation where huge amount of tokens are locked in short span of time and withdraw when the rewards are in favorable.
Vulnerability Details
Locks are created with following parameters.
https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/base/SDLPool.sol#L18-L24
One factor is duration, user must lock for certain duration of time to get boost and rewards. once the duration is passed, they can withdraw the tokens.
while creating lock, there is check to ensure the lock duration is not passing the max lock duration.
https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/LinearBoostController.sol#L36-L39
this maxLockingDuration is set by owner. We can see that there are no min lock duration.
Impact
A whale user would lock big chunk of token for a short period of time and benefit by rewards and then they can withdraw their tokens.
This would lead to one of issue where rewards are disproportionately distributed to the genuine users.
Tools Used
Manual review.
Recommendations
We suggest to introduce new parameter such as min lock duration. and validate when creating the lock.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.