sherlock-audit / 2024-06-magicsea-judging

8 stars 5 forks source link

slowfi - Fake Token Can Be Used To Block Real `BribeRewarders` #690

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

slowfi

Medium

Fake Token Can Be Used To Block Real BribeRewarders

Summary

The Voter function allows a maximum of 5 BribeRewarders. This should incentivise the community to vote for certain pools. However creating a BribeRewarder is permissionless. Users may create BribeRewarders with fake tokens to block the entrance of real incentivicers to the system and there is no way to prevent it.

Vulnerability Detail

Anyone can create a BribeRewarder for a pool with a scam or fake token. This may achieve the exact opposite effect to the one desired.

Impact

This can prevent the system for operating as expected.

Code Snippet

Voter.sol#L130-L144

  function onRegister() external override {
      IBribeRewarder rewarder = IBribeRewarder(msg.sender);

      _checkRegisterCaller(rewarder);

      uint256 currentPeriodId = _currentVotingPeriodId;
      (address pool, uint256[] memory periods) = rewarder.getBribePeriods();
      for (uint256 i = 0; i < periods.length; ++i) {
          // TODO check if rewarder token + pool  is already registered

          require(periods[i] >= currentPeriodId, "wrong period");
          require(_bribesPerPriod[periods[i]][pool].length + 1 <= Constants.MAX_BRIBES_PER_POOL, "too much bribes");
          _bribesPerPriod[periods[i]][pool].push(rewarder);
      }
  }

Tool used

Manual Review

Recommendation

Allow the admin to erase fake BribeRewarder if detected.

Duplicate of #190