TempleGold
TempleDAO
Foundry
25,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

H-02 TempleGoldStaking::_rewardPerToken() is susceptible to frontrun attacks due to divison by totalSupply.

stanchev

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-templegold/blob/57a3e597e9199f9e9e0c26aab2123332eb19cc28/protocol/contracts/templegold/TempleGoldStaking.sol#L507

Summary

TempleGoldStaking::_rewardPerToken() is susceptible to frontrun attacks due to divison by totalSupply.

Vulnerability Details

A malicious user could surveil the mempool for a distributeRewards() call, or any other call that distributes rewards(witdraw with boolean true for getting rewards etc.), whenever such transaction occurs the malicous user can frontrun by staking large amounts of tokens.
This way user could be griefed out of his staking rewards making them lesser than expected. Attack will not cost anything as the attacker could decide to proceed with the stake and even farm his rewards later, or just unstake later.

function _rewardPerToken() internal view returns (uint256) {
if (totalSupply == 0) {
return rewardData.rewardPerTokenStored;
}
return
rewardData.rewardPerTokenStored +(((_lastTimeRewardApplicable(rewardData.periodFinish) - rewardData.lastUpdateTime) * rewardData.rewardRate * 1e18) / totalSupply); //@audit front run attack due to totalSupply
}

Impact

High

Tools Used

Manual review

Recommendations

Make calculations for _rewardPerToken not based on totalSupply, but on a individual parameter based on the user index.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.