Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Staking additional shares causes loss of unclaimed rewards

cipher27

Summary

Users lose their accumulated rewards when staking additional shares without claiming existing rewards first.

Vulnerability Details

The issue occurs in the stake() function where accumulateActor() is called before updating the actor's shares.

File: Distribution.sol
61: function accumulateActor(Data storage self, bytes32 actorId) internal returns (SD59x18 valueChange) {
62: Actor storage actor = self.actor[actorId];
63: return _updateLastValuePerShare(self, actor, ud60x18(actor.shares));
64: }
...
093: function _updateLastValuePerShare(
094: Data storage self,
095: Actor storage actor,
096: UD60x18 newActorShares
097: )
098: private
099: returns (SD59x18 valueChange)
100: {
101: valueChange = _getActorValueChange(self, actor);
102:
103: actor.lastValuePerShare = newActorShares.eq(UD60x18_ZERO) ? int256(0) : self.valuePerShare;
104: }

When a user with existing staked shares stakes additional shares, accumulateActor() updates lastValuePerShare to the current valuePerShare, effectively resetting any accumulated but unclaimed rewards for their existing stake.

Impact

Users permanently lose their accumulated rewards when staking additional shares before claiming existing rewards.

Recommendations

stake() should accumulate rewards before updating the actor's shares.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Inside VaultRouterBranch if you stake wait some time then stake again makes you lose the rewards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.