Anyone can trick Bribe and Gauge contracts by calling notifyRewardAmount with arbitrary tokens until MAX_REWARD_TOKENS is reached. However, later team can replace these fake tokens by calling swapOutRewardToken. However, still, a malicious actor can force the system always to have MAX_REWARD_TOKENS of rewards thus wasting the gas on every delivery and requiring extra team effort and coordination.
Recommended Mitigation Steps
Consider allowing only a whitelisted set of addresses to access the notifyRewardAmount function.
Lines of code
https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Bribe.sol#L41 https://github.com/code-423n4/2022-05-velodrome/blob/main/contracts/contracts/Gauge.sol#L590
Vulnerability details
Impact
Anyone can trick Bribe and Gauge contracts by calling notifyRewardAmount with arbitrary tokens until MAX_REWARD_TOKENS is reached. However, later team can replace these fake tokens by calling swapOutRewardToken. However, still, a malicious actor can force the system always to have MAX_REWARD_TOKENS of rewards thus wasting the gas on every delivery and requiring extra team effort and coordination.
Recommended Mitigation Steps
Consider allowing only a whitelisted set of addresses to access the notifyRewardAmount function.