search

sherlock-audit / 2024-06-magicsea-judging

2 stars 0 forks source link

Glorious Bronze Ladybug - Anyone could create briber #715

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

Glorious Bronze Ladybug

Low/Info

Anyone could create briber

Summary

In the current implementation, anyone can create a BribeRewarder in the RewarderFactory. This unrestricted access can lead to potential problems.

Vulnerability Detail

The vulnerability arises from the fact that anyone can create a BribeRewarder. A malicious user could exploit this by creating multiple bribe rewarders for a pool using minimal amounts, such as 1 wei. This would dilute the rewards for voters, resulting in them receiving very small, negligible rewards. Also in some situation malicious user could front run and create briber with the same start and end period, but with a lot smaller reward.

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/RewarderFactory.sol#L96-L113

Impact

  1. Voters will receive significantly reduced rewards due to the creation of multiple bribe rewarders with minimal amounts. This makes the voting process less attractive and potentially unfair.

  2. Malicious users can exploit this vulnerability to disrupt the reward distribution system, reducing the effectiveness of the incentive mechanism.

Code Snippet

function createRewarder(RewarderType rewarderType, IERC20 token, uint256 pid)
        external
        returns (IBaseRewarder rewarder)
    {

Tool used

Manual Review

Recommendation

Consider restricting creation of BribeRewarder to only owner.