Summary

Users can rake points by repeatedly staking and unstaking their assets due to the lack of point adjustments when unstaking.

Vulnerability Details

The code on main.js handles points calculation. The code relies on event listener to identify that asset staking has occurred. If this happens, then the code computes the steakPoints by:

• Recalling the existing value, if exists, from the database.

• Adding the new points to the existing ones.

• Storing the points to the database.

While the logic to add points seem to be correct, there is a lack of code to subtract points when users unstake their assets before the due date. This means that the points can only increase and cannot decrease.

This behaviour can be exploited by users to get as many $STEAK tokens as possible by raking points. The exploit can be done by repeatedly calling stake() and unstake() which will be valid as long as the staking period has not passed.

Impact

Unfair points collection by users which does not reflect their contribution to the project.

Tools Used

Manual review.

Recommendations

Add code to deduct points when the users unstake their assets.