Reward Manipulation Through Vote-Lock Timing in FeeCollector
Summary:
The FeeCollector contract's reward calculation mechanism is vulnerable to manipulation because it calculates rewards based on current voting power without considering the duration of token lock-up. This allows users to maximize rewards by briefly locking tokens, claiming rewards, and immediately unlocking, effectively stealing rewards from long-term token lockers.
Vulnerability Details:
In the _calculatePendingRewards function:
The vulnerability exists because:
Rewards are calculated using current voting power snapshot
No consideration of when the voting power was acquired
No minimum lock period requirement
No reward vesting or distribution over time
Attack Path:
Wait for significant rewards to accumulate in the contract
Lock tokens for maximum voting power
Claim rewards immediately
Unlock tokens
Repeat with next reward cycle
Impact:
Unfair reward distribution favoring tactical short-term lockers
Diminished rewards for legitimate long-term stakers
Undermines the incentive mechanism for long-term protocol alignment
Potential drain of protocol rewards through repeated exploitation
Tools Used:
Manual code review.
Recommendations:
Implement reward tracking per epoch.
Add minimum lock time requirement.
Implement reward vesting.
Use time-weighted voting power.
Lead Judging Commences
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Time-Weighted Average Logic is Not Applied to Reward Distribution in `FeeCollector`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.