TempleGold

TempleDAO
Foundry
25,000 USDC
View results
Submission Details
Severity: high
Invalid

Users can game vesting by claiming after it

Summary

When users initially deposit into TempleGoldStaking their deposits are vested for a given time, where during that vest they claim only a portion of the rewards. However due _earned not accounting the vest time, if users claim after the vest end they can claim the full 100% of their generated rewards, as if there was no vest.

Vulnerability Details

When users stake they are forced to vest their tokens, where the idea is for them to not be able to claim 100% of the rewards, until the vest is over and they have shown commitment, by not withdrawing their tokens. We can see the calculations inside _earned. Where if a user is 50% vested, he would be eligible for 50% of the _rewardPerToken.

https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleGoldStaking.sol#L468

uint256 vestingRate = _getVestingRate(_stakeInfo);
if (vestingRate == 0) {
return 0;
}
if (vestingRate == 1e18) {
_perTokenReward = _rewardPerToken();
} else {
_perTokenReward = _rewardPerToken() * vestingRate / 1e18;
}
return
(_stakeInfo.amount * (_perTokenReward - userRewardPerTokenPaid[_account][_index])) / 1e18 +
claimableRewards[_account][_index];

However this function doesn't account for if users claim their rewards after the vest is over. In such cases _getVestingRate returns 1e18 (100%) and users are allowed to claim 100% of their generated rewards, as if there was no vesting period to begin with.

Example:

  1. Vesting is 1 week, where 1 token is distributed per week for every 10 tokens staked.

  2. Alice stakes 100 tokens.

  3. Alice waits 7 days and claims. She claims 10 tokens (100 generate 10 per week).

Notice how our user, even thought experienced vesting still claimed 100% of the rewards.

Impact

Users break vesting.

Tools Used

Manual review

Recommendations

Account for the original vest time when calculating user rewards.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.