Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Reward Inflation Exploit Due to `rewardPerToken()` Overflow in Low Liquidity Scenarios

daniel526

The function getRewardPerToken() calculates the reward per staked token using the formula:

function getRewardPerToken() public view returns (uint256) {
if (totalSupply() == 0) {
return rewardPerTokenStored;
}
return rewardPerTokenStored + (
(lastTimeRewardApplicable() - lastUpdateTime) * rewardRate * 1e18 / totalSupply()
);
}

This implementation does not account for extremely low liquidity scenarios, where totalSupply() is very small or temporarily zero. If totalSupply() is close to zero, the division

(rewardRate * timeElapsed * 1e18) / totalSupply()

can lead to massively inflated reward calculations, causing disproportionate rewards for the next staker who joins after a period of low liquidity.

Example exploit scenario:

  1. Assume totalSupply() = 1 wei and rewardRate is high.

  2. The calculation (rewardRate * timeElapsed * 1e18) / totalSupply() results in an excessively large rewardPerToken value.

  3. A new user stakes tokens after this calculation and receives inflated rewards far beyond what is expected.

This results in unfair rewards distribution, where opportunistic users can wait for a period of low liquidity, stake immediately after, and drain excessive rewards.

Impact:

Massively inflated rewards allow a single user to drain a disproportionate share of rewards during low liquidity periods.

Mitigation:

Introduce an upper bound on rewardPerToken() increases by capping the maximum possible rewardPerTokenStored update per period.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!