TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential for Unfair Reward Distribution Due to Reward Rate Manipulation

nexarion

Summary

The TempleGoldStaking contract's reward distribution mechanism, specifically the _notifyReward() function, is susceptible to potential manipulation. This could lead to unfair reward distribution among stakers, particularly if the function is called frequently with varying amounts.

Vulnerability Details

The vulnerability lies in the _notifyReward() function:

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L515-L529

function _notifyReward(uint256 amount) private {

if (block.timestamp >= rewardData.periodFinish) {

rewardData.rewardRate = uint216(amount / rewardDuration);

nextRewardAmount = amount - (rewardData.rewardRate * rewardDuration);

} else {

uint256 remaining = uint256(rewardData.periodFinish) - block.timestamp;

uint256 leftover = remaining * rewardData.rewardRate;

rewardData.rewardRate = uint216((amount + leftover) / rewardDuration);

nextRewardAmount = (amount + leftover) - (rewardData.rewardRate * rewardDuration);

}

rewardData.lastUpdateTime = uint40(block.timestamp);

rewardData.periodFinish = uint40(block.timestamp + rewardDuration);

}

Key issues:

The reward rate can be changed frequently, potentially allowing for strategic timing of rewards.
The use of block.timestamp makes the function susceptible to minor manipulations by miners.
Precision loss may occur due to the conversion to uint216 for rewardRate.
Dust accumulation in nextRewardAmount could lead to undistributed rewards.

While the function is private, it's called by distributeRewards() and indirectly by notifyDistribution(), which is callable by the reward token contract. If these access points are compromised or manipulated, it could lead to unfair reward distribution.

Impact

The potential impacts of this vulnerability include:

Uneven distribution of rewards among stakers with similar stake amounts and durations.
Possibility for strategic actors to maximize their rewards at the expense of other stakers.
Accumulation of undistributed rewards over time.

Tools Used

Manual review

Recommendations

Implement a minimum threshold for reward notifications to prevent frequent small updates that could be used for manipulation.
Consider using a time-weighted average for reward rates to smooth out short-term fluctuations and reduce the impact of individual notifications.
Add additional checks to ensure that rewardrate changes are within expected bounds.
Consider distributing accumulated dust (nextRewardAmount) periodically to ensure all rewards are distributed.
Use a more precise data type for rewardRate to minimize precision loss.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.