Description
The latest that the distribute_rewards function is called for the first time, the more rewards an adversary can earn without having to stake funds.
The problem is that when a distribution is created via the create_distribution_flow function, the shares_per_point (which should be renamed to points_per_share variable is set to 1u128, a very low value. This variable is only updated in the distribute_rewards function to a theoretically much higher value, as shown in the snippet below.
Therefore, an adversary looking to maximize rewards without locking funds can front-run a distribute_rewards call with a call to bond so that the (negative) correction applied to such stake is minimal.
Recommendation
Implement a time-based checkpoint system to calculate rewards, taking into account the timestamp of each staking action. This way there is no need to use the corrections, that pose a threat due to the amount of mathematical operations with int128 values
Otherwise, clearly document how often will the distribute_rewards function
should be called.
Location
Description The latest that the distribute_rewards function is called for the first time, the more rewards an adversary can earn without having to stake funds. The problem is that when a distribution is created via the create_distribution_flow function, the shares_per_point (which should be renamed to points_per_share variable is set to 1u128, a very low value. This variable is only updated in the distribute_rewards function to a theoretically much higher value, as shown in the snippet below.
Therefore, an adversary looking to maximize rewards without locking funds can front-run a distribute_rewards call with a call to bond so that the (negative) correction applied to such stake is minimal.
Recommendation Implement a time-based checkpoint system to calculate rewards, taking into account the timestamp of each staking action. This way there is no need to use the corrections, that pose a threat due to the amount of mathematical operations with int128 values Otherwise, clearly document how often will the distribute_rewards function should be called.