notifyReward in BASEGauge stuck dust funds
Summary
In the BaseGauge contract, the notifyReward function calculates the rewardRate by dividing the amount by the periodDuration. This division can lead to rounding errors, causing a portion of the rewards to be stuck in the contract. Over time, these stuck funds can compound, leading to significant inefficiencies and potential financial losses for users.
Vulnerability Details
The notifyReward function calculates the rewardRate as follows:
Since Solidity performs integer division, any remainder from the division is discarded. For example, if amount = 100 and periodDuration = 7, the rewardRate will be 14 (since 100 / 7 = 14.285...), and the remaining 2 tokens will be effectively stuck in the contract. This issue becomes more pronounced over time, especially when the periodDuration is large (e.g., 1 week or 1 month), leading to a significant accumulation of stuck funds.
Code Analysis
Impact
Stuck Funds: Due to rounding errors, a portion of the rewards will remain in the contract and cannot be distributed to users.
Compounding Over Time: As more rewards are added, the stuck funds will compound, leading to increasingly larger amounts of unusable tokens.
Tools Used
Manual Review
Recommendations
Track and Distribute Residual Rewards
Introduce a mechanism to track the residual rewards (the remainder from the division) and distribute them in subsequent reward periods. This ensures that no funds are permanently stuck in the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.