Submission Details
Severity:
First-Time Reward Claim Bypass of Minimum Interval
Summary
In BaseGauge.sol, first-time users can bypass the minimum claim interval restriction (1 day) when claiming rewards due to uninitialized lastClaimTime.
Vulnerability Details
function getReward() external {
if (block.timestamp - lastClaimTime[msg.sender] < MIN_CLAIM_INTERVAL) {
revert ClaimTooFrequent();
}
lastClaimTime[msg.sender] = block.timestamp;
}
When lastClaimTime[msg.sender] = 0:
block.timestamp - 0 will always be > MIN_CLAIM_INTERVAL
First claim succeeds regardless of time since staking
Subsequent claims enforce 1 day wait
Impact
New users that stakes can claim immediately after staking
Tools Used
manual review
Recommendations
Initialize lastClaimTime in stake():
function stake(uint256 amount) external nonReentrant updateReward(msg.sender) {
_totalSupply += amount;
_balances[msg.sender] += amount;
+ lastClaimTime[msg.sender] = block.timestamp;
stakingToken.safeTransferFrom(msg.sender, address(this), amount);
emit Staked(msg.sender, amount);
}
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge reward system can be gamed through repeated stake/withdraw cycles without minimum staking periods, allowing users to earn disproportionate rewards vs long-term stakers
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge reward system can be gamed through repeated stake/withdraw cycles without minimum staking periods, allowing users to earn disproportionate rewards vs long-term stakers
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.