Insufficient validation of amount provided to notifyRewardAmount
In guage.notifyRewardAmount, we validate that the rewardsToken balance of the
contract is sufficient to cover future reward emissions:
In the current implementation, the contract only checks if balanceOf rewardsToken is greater than the future rewards.
However, under normal circumstances, since users can not withdraw all their rewards in time, the balance in the contract contains rewards that belong to the users but have not been withdrawn yet. This means the current checks can not be sufficient enough to make sure the contract has enough amount of rewardsToken.
As a result, users can continuously call distributeRewards from the controller to notifyRewardAmount with reward within the same period emission, the contract would end up in a wrong state that makes some users unable to claim their rewards.
Impact
some users would be end up being unable to claim there rewards
Recommendation
Consider using transferFrom to receive reward amount
Lead Judging Commences
BaseGauge::notifyRewardAmount checks token balance without accounting for unclaimed rewards, allowing allocation of more rewards than available tokens
BaseGauge::notifyRewardAmount checks token balance without accounting for unclaimed rewards, allowing allocation of more rewards than available tokens
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.