Core Contracts

Summary

The earned(...) function incorrectly calculates rewards based on getUserWeight(...) instead of directly using balances[user], which tracks staked tokens. This introduces a vulnerability where users can gain voting power without updating their reward checkpoint, allowing them to claim past rewards they were not originally entitled.

Vulnerability Details

Currently, the earned(...) function uses getUserWeight(...) instead of the user’s actual staked balance:

Why This Is a Problem

• Rewards are calculated using getUserWeight(...), which is an external dependency rather than using balances[user], which is updated upon staking.

• If getUserWeight(...) is updated before the user’s reward checkpoint, they can claim past rewards that should have only been available to previous weight holders.

• This breaks the reward accounting mechanism, allowing users to retroactively claim rewards they never contributed towards.

Exploit Scenario

1. A user gains weight/voting power through an external mechanism without staking.

2. Because getUserWeight(...) is used instead of balances[user], the user instantly becomes eligible for rewards without an updated checkpoint.

3. The user claims past rewards meant for previous stakers.

4. The reward pool is drained unfairly, reducing incentives for legitimate participants.

Impact

• Users can retroactively claim past rewards, leading to an incorrect allocation of incentives.

• Rewards are not properly distributed among actual stakers, as weight is considered independently of direct staking.

• The reward pool is depleted unfairly, affecting long-term sustainability.

Tools Used

N/A

Recommendations

• Use balances[user] in reward calculations instead of getUserWeight(...) to ensure only actively staked balances are considered.

• Ensure that a user’s reward checkpoint is updated before obtaining weight/voting power to prevent retroactive claims.

• Allow the controller to manually update user checkpoints before weight adjustments to maintain reward integrity.