An attacker can grief any user off their rewards due to accounting issues and missing permission
Vulnerability Details
The issue is that rewards received depends on the pools totaldeposit, rate and last update, however in the stake function, the rate is calculated and updated with the old totaldeposit and then updates the pool totalDeposit with the current one:
This means when a claim happens right after a stake opeation, the calculation below in _getCurrentPoolRate:
when attempting to get reward would receive a lesser rate due to the totalDeposited having increased and lastUpdated as well but rate still being the old rate.
Proof Of Concept
An attacker notices this and calls stake to increase the pool's
totalDepositedandlastUpdatedbut poolrateis set with the calculation from the previoustotalDepositedThen attacker calls claim for a user.
User receive very low rewards due to division by a larger pool totalDeposited.
Impact
An attacker can grief any user off their rewards due to accounting issues and missing permission
Recommendations
Two things:
1: Update the rate to have the current rate for the current pool totalDeposited
2: Also ensure user gives permission to who can call claim() for them
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.