In notifyRewardAmount function, if Admin added a reward 100 once block.timestamp >= periodFinish. Now if Admin decides to add 200 rewards calling this function at block.timestamp >= periodFinish then contract considers total reward as 200 and discards the reward 100 added initially
if (block.timestamp >= periodFinish) {
rewardRate = reward / rewardsDuration; // old reward is not considered
}
CloudEllie
commented
2 years ago
Judge @GalloDaSballo has assessed the 11th item in QA Report #26 as Medium risk. The relevant finding follows:
…
Contract: https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol
In notifyRewardAmount function, if Admin added a reward 100 once block.timestamp >= periodFinish. Now if Admin decides to add 200 rewards calling this function at block.timestamp >= periodFinish then contract considers total reward as 200 and discards the reward 100 added initially