Flash Loan Exploit Manipulates Rewards
Summary
This issue stems from the ability to deposit large amounts (e.g., via a flash loan) and immediately withdraw within the same block combined with the reward calculation mechanism that does not adequately account for the short duration of stake.
Vulnerability Details
The attacker stakes a flash loan amount into the staking pool which significantly increases the poolData.totalDeposited and userData.deposited amount in the pool for a very brief period. In the same block the withdraw is executed.
The withdraw allows anyone to withdraw before pool.payoutStart which can be anytime after staking including when staking in this require statement:
when the withdraw is called,the _getCurrentPoolRate is executed and Since the totalDeposited is temporarily inflated due to the flash loan, the division results in a smaller increase in the pool rate than it would under normal circumstances.
However, At the time of withdrawal, the smart contract calculates the attacker's rewards based on the change in pool rate since their last interaction and the inflated userData.deposited
The flash loan reduces the Poolrate slightly as its used inversely but the impact of multiplying the flashloan directly with the rate is huge and an attacker can accumulate rewards while withdrawing which can be claimed later on. The attacker repays the flash loan within the same transaction block
Impact
Malicious actors can siphon off disproportionately high rewards, leaving genuine participants with reduced earnings
Tools Used
Manual Review
Recommendations
Restrict Single-Block Stake-Withdrawal
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.