Users can keep distributing rewards to the guage
Summary
In the guageController.sol there is a distributeRewards() function, which calculates the guageweight ratio of a specific guage and then distributes the rewards accordingly. But there is no restriction on how many times this function can be called in the same reward interval. So users can simply keep calling this function many times to keep increasing the rewards of their guage.
Vulnerability Details
The distributeRewards() function calculates the rewards based on the current weight ratio of the guage and then distributes the rewards. But since there is no limit on how many times this can be called in a reward period users can simply spam this function to unfairly increase the rewards of their guage and thus gain unfairly.
Note: this requires the reward tokens to be present in the guage in the first place, else the call will revert.
Impact
Users can get more rewards than necessary if the reward tokens are present in the guage.
Tools Used
manual review
Recommendations
limit calling this function using a time lock
Lead Judging Commences
GaugeController notifies gauges of rewards without transferring tokens in both distributeRewards and _distributeToGauges functions, breaking reward distribution
GaugeController notifies gauges of rewards without transferring tokens in both distributeRewards and _distributeToGauges functions, breaking reward distribution
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.