The issue highlighted a unique edge case pertaining to the first depositor in a pool, how they can claim a full days worth of salt rewards. this was possible due to a combination of factors including:
due to how rewards share calculation is done in _increaseUserShare function, the first depositor's rewards will be equal to the totalShares of the pool.
Rewards to pools are distributed via the upkeep contract, which has a variable 'timeSinceLastUpkeep' determining the length of time passed since last upkeep. this is set on contract deployment.
there is a delay between deployment of the upkeep contract and launch of exchange due the initial voting period that can last a few days.
this delay means that when upkeep is called after launch, the timeSinceLastUpkeep will represent a dueration of a few days, which is then capped to a days worth of rewards .
the first depositor can then call upkeep and claim a days worth of rewards.
As is evident in the code below, The final mitigation for this was to simply call upkeep right before the distribution of salt to all the relevant contract, which does two things:
does not actually emit any rewards to pools because they haven't been distributed.
resets the timeSinceLastUpkeep emission timer, so if upkeep is called by the user after distribution, only a small reward will be emitted to them.
Lines of code
Vulnerability details
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/614
Comments
The issue highlighted a unique edge case pertaining to the first depositor in a pool, how they can claim a full days worth of salt rewards. this was possible due to a combination of factors including:
Mitigation
https://github.com/othernet-global/salty-io/commit/4f0c9c6a6e3e4234135ab7119a0e380af3e9776c
As is evident in the code below, The final mitigation for this was to simply call upkeep right before the distribution of salt to all the relevant contract, which does two things:
https://github.com/othernet-global/salty-io/blob/4f0c9c6a6e3e4234135ab7119a0e380af3e9776c/src/launch/BootstrapBallot.sol#L76C1-L77C44
Tests
tests were added to check for this and are passing.
Conclusion
LGTM