GalloDaSballo / Apollon-Review

Notes for the Apollon Solo Security Review
0 stars 0 forks source link

`StakingOperation` will drip rewards to no-one if rewards are queued before any deposit #71

Open GalloDaSballo opened 3 months ago

GalloDaSballo commented 3 months ago

Impact

I believe they will have modest losses until someone deposits

This is further corroborated by the fact that the first deposit will continue instead of going through the early return path

https://github.com/blkswnStudio/ap/blob/8fab2b32b4f55efd92819bd1d0da9bed4b339e87/packages/contracts/contracts/StakingOperations.sol#L219-L230

  function updatePool(ISwapPair _pid) public {
    PoolInfo storage pool = poolInfo[_pid];

    // check
    if (block.timestamp <= pool.lastRewardTime) return;

    // update
    uint tokenSupply = _pid.balanceOf(address(this));
    if (tokenSupply == 0 || totalAllocPoint == 0) {
      pool.lastRewardTime = block.timestamp;
      return;
    }

Mitigation

Simply delay the first emission by a few hours or days to ensure someone has staked