Users can rake points by repeatedly staking and unstaking their assets due to the lack of point adjustments when unstaking.
The code on main.js
handles points calculation. The code relies on event listener to identify that asset staking has occurred. If this happens, then the code computes the steakPoints
by:
Recalling the existing value, if exists, from the database.
Adding the new points to the existing ones.
Storing the points to the database.
While the logic to add points seem to be correct, there is a lack of code to subtract points when users unstake their assets before the due date. This means that the points can only increase and cannot decrease.
This behaviour can be exploited by users to get as many $STEAK
tokens as possible by raking points. The exploit can be done by repeatedly calling stake()
and unstake()
which will be valid as long as the staking period has not passed.
Unfair points collection by users which does not reflect their contribution to the project.
Manual review.
Add code to deduct points when the users unstake their assets.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.