TempleGoldStaking `rewardPerTokenStored` can be inflated and rewards can be stolen
Summary
The first user who performs stake operation on TempleGoldStaking with least amount of TEMPLE token can inflate the rewardPerTokenStored. And the same user can call withdraw and drain the rewards.
Vulnerability Details
When a user performs stake with least amount of token, it updates the _totalSupply as 1 wei and the rewards through updateReward modifier. This modifier calls rewardPerToken() to assign the return to rewardPerTokenStored and assigns it to the account via userRewardPerTokenPaid[account] = rewardPerTokenStored; _rewardPerToken() formula is as below;
Since it depends on the denominator as totalSupply(), the whole multiplying will be divided by 1 wei which will inflate the rewardPerTokenStored astronomically. And there is no obstacle for the user to withdraw it in the withdraw function.
Impact
The first user who performs stake operation on TempleGoldStaking with least amount of TEMPLE token can inflate the rewardPerTokenStored. And the same user can call withdraw and drain the rewards.
Tools Used
N/A
Recommendations
To put some minimum stake amount for the user to perform staking.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.