Incorrect pending rewards calculation leads to incorrect rewards distribution
Vulnerability details
Current pending rewards are calcualated using formula below:
It intends to distribute rewards to users that did not staked in current epoch. However current calculations are inccorrect and distribute funds to newly vested user's tokens. Bigger issue is that these rewards will be taken from users deposits, not from actuall rewards.
Proof of Concept
currentBalance = 100
totalVestedStaked = 0
newVestedStaked = 50
totalStaked = 10
newStaked = 20
totalRewards = 0
pendingRewards = (100 + 0 + 50) - 10 - 20 - 0 = 120
available rewards deposited by potocol = 100 - 50 - 20 - 10 = 20
From 100 contract balance we subtract newly deposited tokens which in this scenario are 50 (vested), 20 (staked) and total staked amount which is eqaul to 10. As a result we are left with 20 tokens to distribute to users that did not staked in current epoch. However current calculation uses 120 tokens as a rewards and adds newVestedStaked tokens in calculation for current round. It means that tokens that were deposited by users are going to be distributed as rewards for stakers.
Impact
User's staked tokens will be used as rewards leading to lose of funds and inability to unstake staked tokens.
Recommended Mitigation Steps
Fix pendingRewards calculation so it does not distribute user's deposited tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.