TempleGold

TempleDAO

Foundry

25,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

A user could postpone the reward to the next epoch by front-running

jesjupyter

Summary

In TempleGoldStaking , if distributionStarter == address(0), anyone can call the function distributeRewards to distribute TempleGold rewards to stakers. In some cases, a user could intentionally postpone the reward to the next epoch and make others wait another rewardDistributionCoolDown by front-running the notifyDistribution from the TempleGold.

Vulnerability Details

If distributionStarter == address(0), anyone can call the function distributeRewards to distribute TempleGold rewards to stakers.

function distributeRewards() updateReward(address(0), 0) external {

if (distributionStarter != address(0) && msg.sender != distributionStarter)

{ revert CommonEventsAndErrors.InvalidAccess(); }

...

}

When the TempleGold contract calls TempleGoldStaking::notifyDistribution to add nextRewardAmount with large amount of token minted, a user could intentionally postpone the reward to the next epoch.

uint256 rewardAmount = nextRewardAmount;

// revert if next reward is 0 or less than reward duration (final dust amounts)

if (rewardAmount < rewardDuration ) { revert CommonEventsAndErrors.ExpectedNonZero(); }

nextRewardAmount = 0;

_notifyReward(rewardAmount);

Others will have to wait additionally rewardDistributionCoolDown to be able to distribute again. During this interval, the user could stake by himself to enjoy the high reward rate for the following epoch.

if (lastRewardNotificationTimestamp + rewardDistributionCoolDown > block.timestamp)

{ revert CannotDistribute(); }

Impact

A user could purposely postpone the large reward to the next epoch and stake during the rewardDistributionCoolDown to get himself prepared for the high reward.

Tools Used

Manual

Recommendations

To mitigate this issue:

remove the setup of rewardDistributionCoolDown or make it as 0.
Add access control to distributeRewards

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

setRewardDuration and setVestingPeriod can be griefed from anyone when distributionStarter is unset

Prize pool breakdown

Total prize

25,000 USDC

nSLOC

998

25 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Judges

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.