Core Contracts

Summary

Rewards are distributed from the gauge controller through a call to GaugeController::distributeRewards, this will notify a reward amount in the gauge controller proportional to the relative weight. Each gauge has a different distribution period (e.g., weekly, monthly) and the reward rate determined at the distribution time should be applied throughout the period to ensure a consistent and fair reward distribution. However the current implementation allows users to constantly distribute rewards and update the rate when the weights distribution favors them.

Vulnerability Details

This can result in loss of rewards for a gauge if the rewards per token are not updated before a reward rate reduction.

Impact

The constantly fluctuating rate can create an unfair and unexpected rewards distribution behaviour.

Tools Used

Manual review.

Recommendations

The reward rate should only be defined once for each period, once determined it will be applied for users claiming rewards with staked tokens during that period. Once the period has expired and a user makes a last claim, the rewards for the associated period will be completed and the user should no longer be entitled to a claim in it.

Note that if different emision periods are allowed (weekly vs monthly as of now) this system would allow users to inflate the weight of the weekly rewards once the monthly period has started.