Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Access Control in distributeRewards Function

soloking

Summary
The distributeRewards function in the RewardsPool contract lacks proper access control, allowing any external account to trigger reward distribution. This vulnerability could lead to unauthorized manipulation of the reward system, potentially disrupting the tokenomics and trust in the platform.

Vulnerability Details

The distributeRewards function is designed to distribute new rewards that have been deposited into the contract. However, the function does not implement any access control mechanisms. As demonstrated by the passing test case:

it('should demonstrate lack of access control for distributeRewards', async () => {

const { signers, adrs, token1, rewardsPool1 } = await loadFixture(deployFixture);

// Transfer tokens directly to the RewardsPool contract

await token1.transfer(adrs.rewardsPool1, toEther(100));

// Call distributeRewards from an unauthorized account

await rewardsPool1.connect(signers[5]).distributeRewards();

// Check if rewards were distributed despite lack of authorization

const totalRewards = await rewardsPool1.totalRewards();

assert.equal(fromEther(totalRewards), 100, 'Unauthorized distribution should have succeeded');

});

This test shows that an unauthorized account (signers[5]) can successfully call the distributeRewards function, resulting in the distribution of rewards.

Impact

The lack of access control on the distributeRewards function can have several severe consequences:

Unauthorized Reward Distribution: Malicious actors can trigger reward distributions at will, potentially disrupting the intended reward schedule.
Economic Manipulation: Attackers could time their calls to distributeRewards to benefit certain users unfairly or to manipulate token prices.
Denial of Service: Continuous calling of this function by bots or malicious actors could lead to unnecessary gas costs and network congestion.
Loss of Trust: Users may lose confidence in the platform if they perceive that the reward system can be manipulated by unauthorized parties.

Tools Used

Manual

Recommendations

To address this vulnerability, consider implementing the following changes:

Add Access Control
Use a Time-Lock Mechanism

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.