Front-running vulnerability in `addReward()` function leading to misallocation of rewards
Summary
The addReward() function can be front-run, causes new reward tokens cannot be accumulated to the rewardPerToken of an epoch.
Vulnerability Details
Based on comments of the addReward() function, the purpose of this function:
Add new reward tokens for the current epoch.
Update epoch to the next epoch.
This creates a vulnerability where a malicious actor can front-run the addReward() transaction by staking a small amount of tokens. This triggers the epoch rollover before the addReward() function is executed, causing the newly added rewards to be allocated to the next epoch instead of the intended current epoch.
Steps to exploit:
The reward admin initiates the
addReward()transaction, expecting it to be the last action of the current epoch.A malicious actor detects this transaction and front-runs it by staking a minimal amount of tokens, which triggers
_checkEpochRollover()and updates the epoch.As a result, when the
addReward()transaction is finally executed, the rewards are not added to the current epoch.
Malicious actors can front-run and grief the addReward() transaction at the end of each epoch, leading to the last epoch accumulates a large amount of rewards.
Impact
Allows malicious actors to misallocate rewards, leading to an unfair distribution.
Tools Used
vscode
Recommendations
Add rewards several blocks before the end of the epoch.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.