Sierraescape
commented
1 year ago This is addressed by the comment on L68. At worst only about 1/3 of tau rewards can be delayed in this way. Even in the example given, 3/4 of the reward tau will still be distributed within the expected day.
Since the exact DRIP_DURATION is not very important, and in the theoretical worst case about 99% of the rewards will be distributed within 4 days, this seems to be a non-issue. So long as rewards are eventually disbursed within a reasonable timeframe, a slightly longer reward rate actually benefits the protocol somewhat, rewarding longer-term users.
0x52
medium
Adversary can call distributeTauRewards with amount = 0 to purposefully decrease reward rate
Summary
When distributeTauRewards is called with amount = 0 it doesn't withhold any extra tokens but resets the distribution time which result in reward rate decreasing. Imagine 100 TAU is being vested. After 12 hours an adversary can call distributeTauRewards with amount = 0. This will distributed 50 TAU and cause the other 50 TAU to be vested over the next 24 hours, effectively halving the reward rate.
Vulnerability Detail
See summary
Impact
Reward rate can be maliciously lowered
Code Snippet
TauDripFeed.sol#L51-L60
Tool used
Manual Review
Recommendation
Only allow rewards to be distributed if it increases reward rate