Before the owner of StakingRewards call the function notifyRewardAmount, the rewardRate still 0. But it has been used in function getRewardForDuration() and function rewardPerToken(). This causes the return value of the function getRewardForDuration() and function rewardPerToken() to be 0. It means that the user who stake in this contract can not Inquire their reward.
Handle
ACai
Vulnerability details
Impact
https://github.com/code-423n4/2021-12-vader/blob/main/contracts/staking-rewards/StakingRewards.sol
The
rewardRatewould still 0 after the functionnotifyRewardAmountis executed. The user who stake in this contract can not Inquire their reward.Proof of Concept
https://github.com/code-423n4/2021-12-vader/blob/main/contracts/staking-rewards/StakingRewards.sol
At the beginning, the
rewardRateis 0.Before the owner of
StakingRewardscall the functionnotifyRewardAmount, therewardRatestill 0. But it has been used in functiongetRewardForDuration()and functionrewardPerToken(). This causes the return value of the functiongetRewardForDuration()and functionrewardPerToken()to be 0. It means that the user who stake in this contract can not Inquire their reward.Tools Used
VS Code
Recommended Mitigation Steps
-