petro1912 - A delegator can receive the rewards immediately by calling `stake` or `redelegateUnstake` to corresponding delegator when `RewardFailedDueLowPool` event emitted.

[sherlock-admin]

petro1912

high

A delegator can receive the rewards immediately by calling stake or redelegateUnstake to corresponding delegator when RewardFailedDueLowPool event emitted.

Summary

If rewardPool does not have enough values to reward the validators, exchangeRate will not be updated at that moment and will be updated after calling rewardValidators again.

Vulnerability Detail

When stakingManager calls rewardValidators function, if there is not enough rewardPool to distribute rewards to validators, the RewardFailedDueLowPool event will be emitted and the validator's exchangeRate will not be updated. Even though delegator has not yet delegated staking to the validator, delegator can receive the rewards by calling stake or redelegateUnstake if stakingManager calls depositRewardTokens and then rewardValidators again later.

Impact

By hooking event emitting, can receive the reward by staking immediately. An malicious delegator can receive rewards immediately knowing that the rewards will be distributed to specific validators shortly thereafter.

Code Snippet

https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L274-L277

Tool used

Manual Review

Recommendation

stakingManager must check if rewardPool is enough to reward to validators. If it is not enough, then it should be reverted instead of emitting event.

Duplicate of #47

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[noslav]

fixed by https://github.com/covalenthq/cqt-staking/commit/a609cca0426cb22cbf5064212341c14c288efeda