search

code-423n4 / 2023-06-reserve-findings

1 stars 0 forks source link

Users who stake at the end of a freeze would get rewards as if they've staked before the freeze #24

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/StRSR.sol#L225

Vulnerability details

This one was reported in the first contest, it was mitigated but a code change that was made since then brings it back again.

Impact

Users who stake while frozen would get a share of the rewards for the period since the last call to payoutRewards().

This means that in a case of a long freeze (e.g. a week or a few weeks) - users who stake right before the freeze ends would get a reward as if they've staked before the freeze started. This comes at the expense of the stakers who have staked before the freezing begun.

Proof of Concept

While frozen the _payoutRewards() isn't called:

    function stake(uint256 rsrAmount) public {
        require(rsrAmount > 0, "Cannot stake zero");

        if (!main.frozen()) _payoutRewards();

Not paying out the rewards meaning that the next time _payoutRewards() would be called the stakers would get a reward as if they've staked at the last time it was called.

Recommended Mitigation Steps

Consider paying out rewards also while frozen

Assessed type

Other

0xA5DF commented 1 year ago

This and #11 are dupes too @0xean

c4-judge commented 1 year ago

0xean marked the issue as primary issue

c4-sponsor commented 1 year ago

tbrent marked the issue as sponsor confirmed

c4-judge commented 1 year ago

0xean marked the issue as satisfactory

c4-judge commented 1 year ago

0xean marked issue #11 as primary and marked this issue as a duplicate of 11