Instant Reward Accumulation and Premature Withdrawals Enable Reward Manipulation
Summary
This flaw arises from the ability to stake funds and withdrawing these funds even before the pool's designated payout start while accruing the rewards from the deposit. This mechanism can be exploited repeatedly to accumulate rewards disproportionately without genuine participation in the staking protocol.
Vulnerability Details
The distribution contract calculates new rewards based on the pool's rate change since the user's last interaction disregarding the duration the funds were actually staked.
A malicious user stakes some amount and stake function culculates pending rewards and updates userData and PoolData.The user proceeds to call the withdraw function to withdraw the previously staked amount.
The withdraw function has a require statement:
The first condition allows a user to proceed with withdraw even before pool.payoutStart which can be anytime after staking.The _getCurrentUserReward() returns the user rewards based on rate change (currentPoolRate_ - userData_.rate) and the rewards are stored in userData to be claimed later.
The user can repeat this process, accruing rewards without genuine long-term staking
Impact
Malicious actors can accumulate rewards without genuine participation depleting the reward pool rapidly and disadvantaging honest participants.
Tools Used
Manual Review
Recommendations
Modify the reward calculation mechanism to consider the duration of staking
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.