First Flight #9: Soulmate

Summary

Staking::claimRewards calculates the reward on the basis of lastClaim instead of actually staked time leading to distribution of less amount.
Therefore, even if a user has staked amount for some weeks and is eligible for some amount, but the last claim was made such a way that a week is not completed then a user will not be able to claim even though the actual staked time was fulfilled but was not fulfilled on the basis of last claim.

Considering last claim as parameter for measuring staking time is irrelevant, it doesn't show the actual staked time, but it shows the time when a claim is made.

Vulnerability Details

The vulnerability is present in the Staking::claimRewards function, and arises as a result of considering last claim as parameter for measuring staking time instead of time for which amount is actually staked.
Consider the case where the user deposits some amount and makes a claim after 1.5 weeks, therefore the lastClaim is set to the timestamp when a claim is made. But when the time for stake becomes 2 weeks, now the user should be eligible for claiming for the next week but would not be able to claim the amount as the last claim was set to the time when 1.5 weeks were passed. As it considers the time from last claim, therefore only 0.5 weeks have passed but it is incorrect.

Impact

User will not be able to claim rewards from staking even they have staked for a full week due to considering the staked time on the basis of last claim.

Tools Used

Manual Review

Recommendations

Consider the staking timestamp instead of last claim timestamp for deciding the claim.