Users can add just-in-time liquidity to get profit from rewards
Summary
In StakingPool contract, withdraw does not have cooldown period and rewards are not updated before withdrawal process.
As a result, it allows users to add just-in-time liquidity to get share of rewards and then withdraw right after getting rewards.
Vulnerability Details
In StakingPool contract, rewards from strategies are updated by either reward controller or one of strategies, as implemented in updateStrategyRewards function.
Also, current withdrawal logic does not have cooldown period implemented.
Based on these facts, a malicious user can do:
Deposit liquidity before
updateStrategyRewardsis called, and then withdraw liquidity right after it's called to receive(or steal) a part of rewardsWithdraw liquidity before
updateStrategyRewardsis called when the strategy has loss.
Impact
Steal a part of rewards
Avoid loss by withdrawing at right moment
Tools Used
Manual Review
Recommendations
Basically, the withdrawal logic should have cooldown logic to prevent users from adding just-in-time liquidity.
Also, it's recommended to implement a logic to fetch rewards before any deposit or withdrawal happens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.