Blocking voters from receiving extra bribe rewards
Summary
Blocking voters from receiving extra bribe rewards.
Vulnerability Detail
All bribe reward contracts register themselves in the Voter contract. This can be problematic because a malicious user can create several empty bribe reward contracts (by empty, I mean reward contracts with very small amounts as rewards) and block other users from creating reward contracts with larger reward amounts.
This can easily be done because only 5 reward contracts can be added to a given period and pool.
require(_bribesPerPriod[periods[i]][pool].length + 1 <= Constants.MAX_BRIBES_PER_POOL, "too much bribes");
A bribe reward contract is used to reward users who vote for a given period and pool to receive a reward for their vote. This can be DDoS by malicious users through the creation of many empty reward contracts and registering them in the Voter contract. This can be done by anyone who notices that a particular pool is more likely to be voted on by users, thereby blocking for examle the next 100 periods with zero rewards given to the voters.
Impact
Blocking voters from receiving extra bribe rewards.
gkrastenov
Medium
Blocking voters from receiving extra bribe rewards
Summary
Blocking voters from receiving extra bribe rewards.
Vulnerability Detail
All bribe reward contracts register themselves in the
Voter
contract. This can be problematic because a malicious user can create several empty bribe reward contracts (by empty, I mean reward contracts with very small amounts as rewards) and block other users from creating reward contracts with larger reward amounts.This can easily be done because only 5 reward contracts can be added to a given period and pool.
A bribe reward contract is used to reward users who vote for a given period and pool to receive a reward for their vote. This can be
DDoS
by malicious users through the creation of many empty reward contracts and registering them in theVoter
contract. This can be done by anyone who notices that a particular pool is more likely to be voted on by users, thereby blocking for examle the next 100 periods with zero rewards given to the voters.Impact
Blocking voters from receiving extra bribe rewards.
Tool used
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L141
Manual Review
Recommendation
Add a minimum requirement for the amount which a bribe reward contract should have.
Duplicate of #190