Description
The contributeBonus() function allows any address to contribute an arbitrary amount of stakeToken to the pool.
totalBonus += received;
There are no restrictions on who may contribute or how much may be donated. As a result, an attacker can intentionally donate an excessively large amount of tokens, causing totalBonus to become arbitrarily large.
While the attacker sacrifices their own funds, this can be used to grief the protocol by manipulating reward-related metrics, distorting economic assumptions, or interfering with downstream logic that relies on totalBonus remaining within expected bounds.
This issue does not directly enable theft of funds but can negatively affect protocol behavior depending on how totalBonus is consumed elsewhere.
Likelihood:
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2
Impact:
Impact 1
Impact 2
Low (or Medium if you can prove it materially disrupts reward distribution, protocol accounting, or causes denial of service).
Restrict bonus contributions to a designated sponsor or governance-controlled address.
Introduce a maximum cap on totalBonus.
Limit the maximum amount per contribution.
Explicitly document that unrestricted third-party donations are an intended feature if this behavior is by design
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.