Blocking voters from receiving extra bribe rewards

Summary

Blocking voters from receiving extra bribe rewards.

Vulnerability Detail

All bribe reward contracts register themselves in the Voter contract. This can be problematic because a malicious user can create several empty bribe reward contracts (by empty, I mean reward contracts with very small amounts as rewards) and block other users from creating reward contracts with larger reward amounts.

This can easily be done because only 5 reward contracts can be added to a given period and pool.

require(_bribesPerPriod[periods[i]][pool].length + 1 <= Constants.MAX_BRIBES_PER_POOL, "too much bribes");

A bribe reward contract is used to reward users who vote for a given period and pool to receive a reward for their vote. This can be DDoS by malicious users through the creation of many empty reward contracts and registering them in the Voter contract. This can be done by anyone who notices that a particular pool is more likely to be voted on by users, thereby blocking for examle the next 100 periods with zero rewards given to the voters.

Impact

Blocking voters from receiving extra bribe rewards.

Tool used

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L141

Manual Review

Recommendation

Add a minimum requirement for the amount which a bribe reward contract should have.

Duplicate of #190

sherlock-audit / 2024-06-magicsea-judging