TempleGold

Summary

Users can take advantage of the fact that stakers that stake more time Beyond the vesting period get the same rewards as those that stake for less time beyond the Vesting Period.

Vulnerability Details

Here is a scenario:-

• User A and User B. User A and User B both stake their token and make the total supply to be 1000e18.

• Both wait for the vesting period to finish to claim the full amount of the reward.

• Immediately after the vesting period has ended, user B withdraws his amount and claims the reward. But user B decides to restake this same amount returning the total supply to 1000e18. He gets a new stake index and waits for the full vesting period to get a full amount for this second stake.

• After the vesting period User B withdraws again. User A also decides to withdraw. Both have staked for the same period of time and with the same amount. User A gets the same amount of rewards as User B for his second stake but remember User B has already got another reward for the first stake making him get double the rewards as user A for the same amount.

Simply because user B was able to withdraw his amount and restake it made him get double the reward as user A but both of them have staked the same amount for the same period of time.

Impact

Users won't find it beneficial to continue staking beyond the vesting period of time since this will add nothing on them. There is also an unbalance in rewards earned for stakers staking for the same period of time and amount as some can earn more.

Tools Used

Manual Review

Recommendations

Calculate the reward based on the staking period and vesting period of a user instead of only vesting period. This will incentivize user to continue staking even after the vesting period.