sdt fees of a cycle may be distributed to the next cycle cvgSdt stakers
Summary
sdt fees of a cycle may be distributed to the next cycle cvgSdt stakers depending on the timing of processSdtRewards calls.
Vulnerability Detail
A percentage of earned sdt from sdStakers is given to the cvgSdt stakers. It gets collected when the processSdtRewards function is called on the respective staking contracts which can happen anytime after the cycle is updated.
The cvgSdt stakers calim this reward by calling the processSdtRewards function in the cvgSdt contract. In the scenario where processSdtRewards of cvgSdt staking contract is called first, the cvgSdt stakers loose the sdt rewards of this cycle which is passed on to the next cycle.
A user who has a large stake in the next cycle would be motivated to do this as the rewards would be distributed in the next cycle
Impact
Stakers of a cycle may loose their deserved share of sdt fees
To account this the reward distribution mechanism of cvgSdt staking will have to be changed. Consider a mechanism which allows the buffer to pull sdt till the end of cycle
hash
medium
sdtfees of a cycle may be distributed to the next cyclecvgSdtstakersSummary
sdtfees of a cycle may be distributed to the next cyclecvgSdtstakers depending on the timing ofprocessSdtRewardscalls.Vulnerability Detail
A percentage of earned sdt from sdStakers is given to the cvgSdt stakers. It gets collected when the
processSdtRewardsfunction is called on the respective staking contracts which can happen anytime after the cycle is updated. The cvgSdt stakers calim this reward by calling theprocessSdtRewardsfunction in the cvgSdt contract. In the scenario whereprocessSdtRewardsof cvgSdt staking contract is called first, the cvgSdt stakers loose the sdt rewards of this cycle which is passed on to the next cycle. A user who has a large stake in the next cycle would be motivated to do this as the rewards would be distributed in the next cycleImpact
Stakers of a cycle may loose their deserved share of sdt fees
Code Snippet
processSdtRewardsof cvgSdt can be called as soon as the cycle is updated and this callspullRewardsofcvgSdtbuffer https://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Staking/StakeDAO/SdtStakingPositionService.sol#L550-L559The
sdtreward is computed using the currently availablesdtamount in thesdtFeeCollectorhttps://github.com/sherlock-audit/2023-11-convergence/blob/main/sherlock-cvg/contracts/Rewards/StakeDAO/CvgSdtBuffer.sol#L76-L89Tool used
Manual Review
Recommendation
To account this the reward distribution mechanism of cvgSdt staking will have to be changed. Consider a mechanism which allows the buffer to pull sdt till the end of cycle
Duplicate of #56