A malicious user can take all of the rewards in FeeCollector for the locked funds
Summary
A malicious user can take all of the rewards in FeeCollector for the locked funds
Vulnerability Details
When the rewards are distributed by the protocol users can take their rewards by this formula ->
lets say totalDistributed = 1000
Alice has 40 userVotingPower
Bob has 60 userVotingPower
which leads to totalVotingPower = 100
Alice shares will be 1000 * 40 / 100 = 400
Bob shares will be 1000 * 60 / 100 = 600
so far so good
But what would happen if a malicious user decided to lock their funds early, noticed Alice and Bob receiving rewards, then front-run their transactions by using the locking function to receive 10,000 VotingPower?
alice and bob will not take any reward
Alice = 1000 * 40 / 11000 = 0
Bob = 1000 * 60 / 11000 = 0
and the Malicious user will take everything
Impact
lost of rewards for the users
Tools Used
Recommendations
Use the Compound V3 way, to keep what block the user locked and how many tokens were distributed until this block to remove the rewards from the user and to get rewards only from the block after he locked.
Lead Judging Commences
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.