Users can lower the rewards for other users
Summary
Updating rewards for other users lowers their generated rewards.
Vulnerability Details
TempleGoldStaking implements a vest, where users earn a partial amount of the rewards during vesting. After the vesting period, or if they wait it out, they get 100% of the generated rewards.
However, users are allowed to update the rewards for other users. Updating rewards mid-vesting will cause the original user to lose some percentage of their rewards. This can be done by calling getReward for the other user, which in turn invokes updateReward, updating their rewards at the lower rate.
Example:
The vesting factor is 1 month, and it distributes 1 token per week for every 10 tokens staked.
Alice stakes 100 tokens. If she claims after the vesting period is over, she would generate 40 tokens (10 * 4).
Bob doesn't like Alice, so he claims on her behalf at the end of every week to lower her rewards.
Alice would now generate 25 tokens instead of 40.
week 1 - 10 * 25% = 2.5
week 2 - 10 * 50% = 5
week 3 - 10 * 75% = 7.5
week 4 - 10 * 100% = 10
Impact
Users can lower the rewards for other users, causing griefing.
Tools Used
Manual review
Recommendations
Remove the ability for other users to claim on your behalf. This should also include stakeFor as it can trigger updateReward for other users.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.