An error in rewardPerToken calculation will cause some accounts to receive more rewards, and the user who finally withdraws the reward will be unable to withdraw it because the total reward is insufficient.
Summary
An error in rewardPerToken calculation will cause some accounts to receive more rewards, and the user who finally withdraws the reward will be unable to withdraw it because the total reward is insufficient.
Vulnerability Details
background:
The protocol adopts the rewardPerToken model. Before the total reward and total pledge amount change, rewardPerToken and the settlement user's reward income will be updated first. rewardPerToken represents the cumulative reward of each token in each epoch.
The contract uses pendingRewards / totalStaked to calculate rewardPerToken. However, it should be noted that totalStaked here does not include newStaked.
newStaked indicates new pledges before this cycle, which have not yet been aggregated into totalStaked.
Because of 3, the rewardPerToken calculated in 2 should not be used to calculate the reward of the newStaked part.
In the
_redeemfunction, rewardPerToken is used to calculate the reward of the newStaked part.
Therefore, the final result will lead to an increase in the calculation results in 5, and these users will receive more rewards.
And, on the other hand, the rewards recorded by totalRewards will become less. When finally receiving the rewards, the last user will revert because the totalRewards is not enough for subtraction, which will cause the last user to be unable to withdraw the rewards.
Impact
The reward calculation is wrong, some users will receive additional rewards, and some users cannot receive the rewards.
Tools Used
manual
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.