Malicious Users Can Exploit StakingQueue to Gain All Rewards

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x440c73a99d6db296790950f70f66b103a9cddf71363c24017cb10017604ffe2d Severity: medium

Description: Description: The stakingQueue has a 50 max limit, and users can stake and unstake before or after postAssertion as often as they want. The issue is that malicious users can fill the stakingQueue each time, allowing them to gain all rewards.

Scenario:

1. The owner sets a reward of $1000.
2. The minimum stake is $100.
3. Malicious users fill the stakingQueue with $5000.
4. Malicious users unstake all tokens except for a small amount to gain all rewards.
5. Malicious users refill the stakingQueue with $5000.
6. No one else can stake, and malicious users gain all rewards by continuously unstaking and staking.

Impact: This behavior prevents other users from gaining rewards and allows malicious users to monopolize all rewards, making the contract unusable for other participants.

Mitigation: Introduce a lock time or fee mechanism in the LM_PC_KPIRewarder_v1 contract to prevent abuse.

[PlamenTSV]

Same issue in old audit report

[0xmahdirostami]

Same issue in old audit report

Yes, thank you, but it's not fixed. The minimum stake couldn't fix the problem in the situation I mentioned.

    uint minimumStake; // The workflow owner can set a minimum stake amount to mitigate griefing attacks where sybils spam the queue with multiple small stakes.

The owner sets a reward of $1000. The minimum stake is $100. Malicious users fill the stakingQueue with $5000. Malicious users unstake all tokens except for a small amount to gain all rewards. Malicious users refill the stakingQueue with $5000. No one else can stake, and malicious users gain all rewards by continuously unstaking and staking.

[FHieser]

OOS