Open code423n4 opened 1 year ago
0xScotch marked the issue as sponsor confirmed
We will be removing both implementations of fillInEpochGaps
Picodes marked the issue as satisfactory
Picodes marked the issue as primary issue
Picodes marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-02-malt/blob/700f9b468f9cf8c9c5cffaa1eba1b8dea40503f9/contracts/RewardSystem/RewardThrottle.sol#L437-L462
Vulnerability details
Impact
In RewardThrottle, both checkRewardUnderflow and fillInEpochGaps call _fillInEpochGaps to fill the state of the previous epoch without profit, the difference being that checkRewardUnderflow will request the reward from the overflowPool and distribute the reward, whereas fillInEpochGaps does not.
This results in that when an epoch does not have any profit, then at the start of the next epoch that epoch will have a reward if checkRewardUnderflow is called, and no reward if fillInEpochGaps is called. According to the documentation, when an epoch is not profitable enough, the reward should be requested from the overflowPool, so checkRewardUnderflow should be called. And if fillInEpochGaps is called first, the epoch will lose its reward.
Note: populateFromPreviousThrottle will also cause epochs without any profit to lose their rewards
Proof of Concept
https://github.com/code-423n4/2023-02-malt/blob/700f9b468f9cf8c9c5cffaa1eba1b8dea40503f9/contracts/RewardSystem/RewardThrottle.sol#L437-L462
Tools Used
None
Recommended Mitigation Steps
Consider removing the fillInEpochGaps function, or only allowing it to be called when the contract is not active