Temple gold staking vesting mechanic bricks rewards inside the contract
Summary
TempleGoldStaking vesting mechanic locks tokens in the contract.
Vulnerability Details
TempleGold mints rewards to three modules. One of them is TempleGoldStaking, where on _distributeGold being triggered, TempleGold will mint tokens, invoke notifyDistribution, and increase nextRewardAmount. In short, TempleGoldStaking receives tokens and accounts them inside nextRewardAmount.
When a new epoch is started, this amount is calculated with rewardDuration to make rewardRate:
The issue we face is that this math doesn't account for the fact that _earned will distribute only a portion of the reward if the user is vesting.
In cases where users are vesting, the contract will allocate X tokens to them, but they will only claim X - Y tokens, as their vest lowers their reward. TempleGoldStaking still accounts this amount in its internal accounting; however, the tokens will remain stuck inside the contract.
Example:
| Prerequisites | Values |
|---|---|
| Users | 10 |
| Staked tokens | 1000 |
| Reward per week | 1 per 10 tokens staked (100) |
| Vesting duration | 2 weeks |
In our case, User10 has just staked, and the rest of the users have fully vested their stakes.
After 1 week, the epoch will distribute 100 tokens.
Each staker claims 10 as each owns 10% of the shares.
User10 claims 5 tokens as his vesting is 50% done.
5 tokens remain stuck inside the contract, as everyone has claimed and their rewards are synced.
Impact
Loss of funds.
Tools Used
Manual review
Recommendations
Consider changing the math inside _earned or somehow distribute the rest of the tokens to the contract or the team gnosis.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.