search

code-423n4 / 2024-02-uniswap-foundation-findings

2 stars 3 forks source link

Missing zero value will not update rewardPerTokenAccumulatedCheckpoint #405

Closed c4-bot-10 closed 7 months ago

c4-bot-10 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L570-L582 https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/V3FactoryOwner.sol#L188

Vulnerability details

Impact

When a Reward notifier with intent to renew rewards, calls UniStaker.notifyRewardAmount() with zero amount when timestamp is greater than previous rewardEndTime. The caledRewardRate is set to 0

With this, the rewardPerTokenAccumulatedCheckpoint will remain the same during checkpoints until the notifyRewardAmount() function is called again with a valid amount.

Proof of Concept

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L570-L582

Tools Used

Manual

Recommended Mitigation Steps

Apply zero amount checks

Assessed type

Other

MarioPoneder commented 7 months ago

Misbehaving reward notifier, OOS see README:

Publicly Known Issues

  1. A misbehaving reward notifier contract could grief stakers by frequently notifying this contract of tiny rewards, thereby continuously stretching out the time duration over which real rewards are distributed. It is required that reward notifiers supply reasonable rewards at reasonable intervals.
  2. A misbehaving reward notifier contract could falsely notify this contract of rewards that were not actually distributed, creating a shortfall for those claiming their rewards after others. It is required that a notifier contract always transfers the _amount to this contract before calling this method.
c4-judge commented 7 months ago

MarioPoneder marked the issue as unsatisfactory: Out of scope