Description
Anyone can claim staking rewards without effectively staking funds.
Adversaries can bond funds just before withdrawing rewards and unbond immediately after.
The issue lies in the withdrawable_rewards function, which computes the rewards available for a user by querying the user's stakes directly from the staking contract, without considering the timing or existence of those stakes in the stake_rewards contract.
Since this function feeds the withdraw_rewards function with the available rewards information, anyone can stake at any time and claim rewards as long as the contract has sufficient rewards balance.
Recommendation
Ensure that the date/time of staking is considered when distributing rewards, or track bonds separately in the staking_rewards contract.
Add adversarial tests to ensure that adversaries cannot bypass the intended business logic.
gangov
commented
2 months ago
Location
Description Anyone can claim staking rewards without effectively staking funds. Adversaries can bond funds just before withdrawing rewards and unbond immediately after. The issue lies in the
withdrawable_rewardsfunction, which computes the rewards available for a user by querying the user's stakes directly from the staking contract, without considering the timing or existence of those stakes in thestake_rewardscontract.Since this function feeds the
withdraw_rewardsfunction with the available rewards information, anyone can stake at any time and claim rewards as long as the contract has sufficient rewards balance.Recommendation Ensure that the date/time of staking is considered when distributing rewards, or track bonds separately in the staking_rewards contract. Add adversarial tests to ensure that adversaries cannot bypass the intended business logic.