Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, if there are insufficient rewards to cover a specific validator, their rewards will be skipped until staking manager top ups rewards again. This is to prevent loss of rewards for validators, so it is intended
cheatcode
medium
Inequitable Reward Distribution When Pool is Depleted
Summary
The
OperationalStaking
contract'srewardValidators
function contains insufficient logic to handle reward pool depletion scenarios. This leads to inequitable distribution, lack of transparency for validators, and centralized control risks.Vulnerability Detail
The current check
if (newRewardPool < amount)
does not adequately handle scenarios where the reward pool is depleted before rewarding all validators. It simply emits an event and continues.Impact
Validators who are processed later miss out on rewards despite equal eligibility. This causes confusion and unfairness, reducing trust in the reward distribution mechanism.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L274C13-L277C14
Tool used
Manual Review
Recommendation
Implement pro-rata distribution to split available rewards proportionally when facing depletion. Also consider dynamic reward calculations based on the pool rather than fixed amounts.