Users are incentivized to stake dust amount to gauges
Summary
Gauge stakers will receive reward over time. The problem is, reward rate does not depend on staked amount, but rather depends on user's current balance (unstaked amount). Moreover, reward rate is inversely proportionate to gauge's total staked amount. Thus, users will be strongly incentivzied to stake dust amount to the protocol.
Vulnerability Details
We need some maths to understand the root cause. Let's take a look at important variables in BaseGauge implementation and try to understand how user's earned amount is calculated.
: user's veToken balance. (NOT staked amount)
: veToken's total supply
: gauge weight. Gauge weight is set in and retrieved from GaugeController. Fixed percentage.
: boost for user. It is calculated as the following:
(1)
: user weight, calculated as the following:
(2)
: gauge's total supply i.e. veToken's total staked amount in gauge
: reward rate - It is set when GaugeController notifies reward. Depends on gauge's emission rate. Fixed amount in current implementation
: elapsed time since the last reward claim
: reward per token, calculated as the following:
(3)
: unclaimed reward amount, more specifically userStates[account].rewards
: User's earned amount, calculated as the following:
(4)
We can derive the following statements:
-
Earned amount is proportionate to user's veToken balance, because:
Earned amount is proportionate to user weight (4)
User weight is proportionate to user's boost (2)
Boost grows as user's veToken balance increases (1)
-
Earned amount is inversely proportionate to gauge's total staked amount, because:
Earned amount si proportionate to reward per token (4)
Reward per token is inversely proportionate to gauge's total supply (3)
So users will get maximum reward if they deposit dust amount (1 wei) to the gauge. Because in this way, they can keep their veToken balance at maximum and keep gauge's total staked amount at minimum.
Even if the staking token is not veRAACToken, there's no incentive for users to stake big amount to protocol, 1 wei is enough (actually too much) to get rewards.
Impact
Disrupted protocol functionality.
Tools Used
Manual Review
Recommendations
When calculating earned amount, user's current staked amount should be considered as well.
Lead Judging Commences
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.