Lack of locking token during staking period leads to disproportionate Reward
Summary
The claimReward function within the Staking module has a vulnerability. If a user claims a reward for the first time, the lastClaim mapping value is set to the timestamp of the soulmate matching. However, if the user has not staked any tokens before claiming rewards, there is a possibility to claim a disproportionate amount of reward.
Vulnerability Details
If the idToCreationTimestamp mapping value for a couple is denoted as x, and after y days, where y is an extremely large value, the user can stake love tokens and immediately claim the reward. The lastClaim value is configured to the idToCreationTimestamp mapping value. Consequently, the amountToClaim will be extremely large, even though the user did not stake tokens for the expected duration.
Impact
This vulnerability allows users to claim a disproportionate amount of tokens, potentially exploiting the system.
Tools Used
Manual Review
Recommendations
To mitigate this risk, consider implementing a mechanism to lock the tokens during the reward period. This would prevent users from exploiting the system by claiming rewards without staking tokens for the appropriate duration.
Lead Judging Commences
finding-claimRewards-multi-deposits-time
High severity, this allows users to claim additional rewards without committing to intended weekly staking period via multi-deposit/deposit right before claiming rewards.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.