MISSING POINT REDUCTION ON UNSTAKING ENABLES INFINITE AIRDROP REWARD EXPLOITATION
Summary
A deficiency has been identified in the system for accumulating points based on deposited ETH. While users receive points when they deposit ETH, the system fails to reduce points when they withdraw their funds.
Vulnerability Details
The backend system ( main.js ) responds to the deposit event and allocates points to users, but there is no mechanism for decreasing points during fund withdrawal. Specifically, the main JavaScript file lacks a listener for the withdrawal event that should reduce the user's points.
Impact
Given that there are no penalties or waiting periods for fund withdrawal, this behavior can be repeated indefinitely, allowing users to gain an unjustified advantage for future rewards (token distributions,airdrop).
Tools Used
Manual code analysis
Recommendations
Implement a listener for the withdrawal event in the backend system. When a user withdraws ETH, decrease their points proportionally to the withdrawn amount. This ensures that users retain points only for ETH that remains deposited.
Lead Judging Commences
Steaking server is not taking unstakes into account
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.