Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

WETH Blacklist Griefing Attack on Reward Distribution System

cheatc0d33

Description

A malicious user can exploit WETH blacklisting to permanently disrupt the protocol's reward distribution mechanism, affecting all stakers in the vault and causing protocol-wide economic impact.

The vault's staking reward system has a critical vulnerability where a blacklisted WETH address can permanently lock their staking position and manipulate reward rates for all other users due to the requirement that users must claim all rewards before unstaking.

function unstake(uint128 vaultId, uint256 shares) external {

Distribution.Data storage wethRewardDistribution = vault.wethRewardDistribution;

// Get claimable rewards

UD60x18 amountToClaimX18 = vault.wethRewardDistribution.getActorValueChange(actorId).intoUD60x18();

// Critical check - prevents unstaking with unclaimed rewards

if (!amountToClaimX18.isZero()) revert Errors.UserHasPendingRewards(actorId, amountToClaimX18.intoUint256());

// ... rest of unstaking logic

}

Attack Scenario

Attacker stakes a significant amount in the vault
Accumulates WETH rewards over time
Gets their address blacklisted by WETH
Cannot claim rewards due to blacklist
Cannot unstake due to non-zero rewards check
Position remains locked, continuing to accumulate rewards

Impact

The attack triggers a systemic failure in the protocol's reward distribution mechanism, starting with the permanent locking of the attacker's staked position. This locked stake continues to participate in reward accumulation, creating an ever-widening distortion in the protocol's economics as rewards are continuously allocated to an irretrievable position. The impact cascades through the entire staking system, diluting rewards for legitimate participants and permanently skewing the protocol's distribution mathematics, with no existing mechanism to rectify or mitigate the compromised state. This architectural flaw effectively transforms a single locked position into a persistent drain on the protocol's reward efficiency.

Proof of Concept

contract RewardGriefingAttack {

function execute(address vault, uint128 vaultId) external {

// 1. Stake significant amount

vault.stake(vaultId, LARGE_AMOUNT);

// 2. Wait for rewards to accumulate

// time passes...

// 3. Get blacklisted on WETH

// external action...

// 4. Position now permanently locked

// - Cannot claim rewards (WETH transfer fails)

// - Cannot unstake (requires zero pending rewards)

}

Recommended Fixes

Implement emergency unstake mechanism for blacklisted addresses
Separate reward claiming from unstaking logic
Add protocol admin function to handle stuck positions
Consider implementing reward forfeiture mechanism for edge cases

function emergencyUnstake(uint128 vaultId, uint256 shares) external {

// Allow unstaking without claiming rewards

// Optionally forfeit or lock accumulated rewards

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.