Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Reward Inflation Exploit Due to `rewardPerToken()` Overflow in Low Liquidity Scenarios

daniel526

The function getRewardPerToken() calculates the reward per staked token using the formula:

function getRewardPerToken() public view returns (uint256) {
if (totalSupply() == 0) {
return rewardPerTokenStored;
}
return rewardPerTokenStored + (
(lastTimeRewardApplicable() - lastUpdateTime) * rewardRate * 1e18 / totalSupply()
);
}

This implementation does not account for extremely low liquidity scenarios, where totalSupply() is very small or temporarily zero. If totalSupply() is close to zero, the division

(rewardRate * timeElapsed * 1e18) / totalSupply()

can lead to massively inflated reward calculations, causing disproportionate rewards for the next staker who joins after a period of low liquidity.

Example exploit scenario:

  1. Assume totalSupply() = 1 wei and rewardRate is high.

  2. The calculation (rewardRate * timeElapsed * 1e18) / totalSupply() results in an excessively large rewardPerToken value.

  3. A new user stakes tokens after this calculation and receives inflated rewards far beyond what is expected.

This results in unfair rewards distribution, where opportunistic users can wait for a period of low liquidity, stake immediately after, and drain excessive rewards.

Impact:

Massively inflated rewards allow a single user to drain a disproportionate share of rewards during low liquidity periods.

Mitigation:

Introduce an upper bound on rewardPerToken() increases by capping the maximum possible rewardPerTokenStored update per period.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.