When users initially deposit into TempleGoldStaking
their deposits are vested for a given time, where during that vest they claim only a portion of the rewards. However due _earned
not accounting the vest time, if users claim after the vest end they can claim the full 100% of their generated rewards, as if there was no vest.
When users stake they are forced to vest their tokens, where the idea is for them to not be able to claim 100% of the rewards, until the vest is over and they have shown commitment, by not withdrawing their tokens. We can see the calculations inside _earned
. Where if a user is 50% vested, he would be eligible for 50% of the _rewardPerToken
.
https://github.com/Cyfrin/2024-07-templegold/blob/main/protocol/contracts/templegold/TempleGoldStaking.sol#L468
However this function doesn't account for if users claim their rewards after the vest is over. In such cases _getVestingRate
returns 1e18 (100%) and users are allowed to claim 100% of their generated rewards, as if there was no vesting period to begin with.
Example:
Vesting is 1 week, where 1 token is distributed per week for every 10 tokens staked.
Alice stakes 100 tokens.
Alice waits 7 days and claims. She claims 10 tokens (100 generate 10 per week).
Notice how our user, even thought experienced vesting still claimed 100% of the rewards.
Users break vesting.
Manual review
Account for the original vest time when calculating user rewards.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.