Description
Anyone can claim staking rewards without effectively staking funds.
Adversaries can bond funds just before withdrawing rewards and unbond immediately after.
The issue lies in the withdrawable_rewards function, which computes the rewards available for a user by querying the user's stakes directly from the staking contract, without considering the timing or existence of those stakes in the stake_rewards contract.
Since this function feeds the withdraw_rewards function with the available rewards information, anyone can stake at any time and claim rewards as long as the contract has sufficient rewards balance.
Recommendation
Ensure that the date/time of staking is considered when distributing rewards, or track bonds separately in the staking_rewards contract.
Add adversarial tests to ensure that adversaries cannot bypass the intended business logic.
Location
Description Anyone can claim staking rewards without effectively staking funds. Adversaries can bond funds just before withdrawing rewards and unbond immediately after. The issue lies in the
withdrawable_rewards
function, which computes the rewards available for a user by querying the user's stakes directly from the staking contract, without considering the timing or existence of those stakes in thestake_rewards
contract.Since this function feeds the
withdraw_rewards
function with the available rewards information, anyone can stake at any time and claim rewards as long as the contract has sufficient rewards balance.Recommendation Ensure that the date/time of staking is considered when distributing rewards, or track bonds separately in the staking_rewards contract. Add adversarial tests to ensure that adversaries cannot bypass the intended business logic.