user can stake, claimPoints and unstake at same timestamp
Summary
When block.timestamp == lastDistribution + EPOCH_DURATION this allows users to stake , claimPoints and unstake at same time .User can flash loan tokens > stake > claimPoints > unstake which will lead more points being claimed.
Vulnerability Details
Users need to stake for a lifeCycle of 6 epochs to unstake but its possible to unstake within 1 epoch which is 1 week which allows staking > claiming > unstake in same epoch.
For flashloan scenario:
the if statement is true when block.timestamp = lastDistribution + EPOCH_DURATION which allows user toflash loan tokens > stake > claimPoints > unstake.
In function distributePoints():
For stake before EPOCH_DURATION end or claimPoints() :
user can stake before epoch end and claimPoints and unstake at same epoch same as flashloan but only flashloan is not applied because user needs to pay fees within the same transaction.
Impact
user can claim rewards without waiting for EPOCH_DURATION.
Tools Used
manual review
Recommendations
for flashloan : now cant at same block.timestamp
for stake before claim :
Recalculate points or rewards based on the actual duration that a user's stake was held within an epoch.
Appeal created
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.