Inequitable Reward Distribution When Pool is Depleted

Summary

The OperationalStaking contract's rewardValidators function contains insufficient logic to handle reward pool depletion scenarios. This leads to inequitable distribution, lack of transparency for validators, and centralized control risks.

Vulnerability Detail

The current check if (newRewardPool < amount) does not adequately handle scenarios where the reward pool is depleted before rewarding all validators. It simply emits an event and continues.

Impact

Validators who are processed later miss out on rewards despite equal eligibility. This causes confusion and unfairness, reducing trust in the reward distribution mechanism.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L274C13-L277C14

if (newRewardPool < amount) {

  emit RewardFailedDueLowPool(validatorId, amount);

  continue;

}

Tool used

Manual Review

Recommendation

Implement pro-rata distribution to split available rewards proportionally when facing depletion. Also consider dynamic reward calculations based on the pool rather than fixed amounts.

sherlock-admin2 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 8 months ago

Invalid, if there are insufficient rewards to cover a specific validator, their rewards will be skipped until staking manager top ups rewards again. This is to prevent loss of rewards for validators, so it is intended

sherlock-audit / 2023-11-covalent-judging

cheatcode - Inequitable Reward Distribution When Pool is Depleted #121