Submission Details
Severity:
Users can withdraw their funds from the BaseGauge, but will still receive rewards
Summary
Users can withdraw their funds from the BaseGauge, but will still receive rewards
Vulnerability Details
When calculating how much rewards a user got it is using the earned function ->
function earned(address account) public view returns (uint256) {
return ((getUserWeight(account) * (getRewardPerToken() - userStates[account].rewardPerTokenPaid))
+ userStates[account].rewards;
}
as we can see the calculation formula is not using the how many tokens the user staked, which means that he can withdraw his tokens and still receive rewards. The earned tokens are only measted by the votingPower
Impact
loss of funds for the protocol
Tools Used
Recommendations
Make a check if the user doesn't staked tokens to not receive reward tokens or change the formula to use the staked tokens
Updates
Lead Judging Commences
inallhonesty 2 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
inallhonesty 2 months ago
Submission Judgement Published Assigned finding tags:
BaseGauge::earned calculates rewards using getUserWeight instead of staked balances, potentially allowing users to claim rewards by gaining weight without proper reward checkpoint updates
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.