Closed c4-bot-4 closed 6 months ago
Misbehaving reward notifier, OOS see README:
Publicly Known Issues
- A misbehaving reward notifier contract could grief stakers by frequently notifying this contract of tiny rewards, thereby continuously stretching out the time duration over which real rewards are distributed. It is required that reward notifiers supply reasonable rewards at reasonable intervals.
- A misbehaving reward notifier contract could falsely notify this contract of rewards that were not actually distributed, creating a shortfall for those claiming their rewards after others. It is required that a notifier contract always transfers the
_amount
to this contract before calling this method.
MarioPoneder marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-02-uniswap-foundation/blob/main/src/UniStaker.sol#L587
Vulnerability details
Impact
Denial of Service when notifyRewardAmount(...) function is called with Reward Value that is below 2.592 * 10**6
Proof of Concept
function notifyRewardAmount(uint256 _amount) external { if (!isRewardNotifier[msg.sender]) revert UniStaker__Unauthorized("not notifier", msg.sender);
} as noted from the pointer in the code above, a validation is done to ensure scaledRewardRate / SCALE_FACTOR is not equal zero, to understand this revert condition better: scaledRewardRate is equal _amount SCALE_FACTOR) / REWARD_DURATION, therefore (scaledRewardRate / SCALE_FACTOR) will equal _amount / REWARD_DURATION. Since REWARD_DURATION is 30 days, the implication of this revert condition and calculations explained above is that reward _amount must be greater than 30 24 60 60 which is a representation of 30days in seconds i.e 2.592 10^6 . Therefore whenever input reward amount is less than 2.592 10**6 , it would revert and cause denial of service.
Tools Used
Manual Review
Recommended Mitigation Steps
It should be noted that calling the notifyRewardAmount(...) function with too little amount has it complications however setting the minimum limit to 2.592 * 10**6 is too large, a smaller value should be used by the protocol to avoid denial of service
Assessed type
DoS