Description
Anyone can obtain more rewards than intended by repeatedly calling the calculate_unbond function to increase the shares_correction. This function allows unbonding the same stake (last_stake in the snippet below) multiple times without tracking those already unbonded. Consequently, adversaries can continuously increase their shares correction.
Since old_power is greater than new_power, the update_rewards function causes the adversary's shares_correction variable to increase, enabling them to withdraw more rewards than intended.
Recommendation
Ensure that a stake cannot be bonded or unbonded more than once.
gangov
commented
2 months ago
Location
Description Anyone can obtain more rewards than intended by repeatedly calling the
calculate_unbondfunction to increase theshares_correction. This function allows unbonding the same stake (last_stake in the snippet below) multiple times without tracking those already unbonded. Consequently, adversaries can continuously increase their shares correction.Since
old_poweris greater thannew_power, theupdate_rewardsfunction causes the adversary's shares_correction variable to increase, enabling them to withdraw more rewards than intended.Recommendation Ensure that a stake cannot be bonded or unbonded more than once.