Lack of time gap restrictions on the distribute call allows for sizeable loss on the rewarded distribution
Summary
Lack of time gap restrictions on the distribute call allows for sizeable loss on the rewarded distribution
Vulnerability Detail
The distribute function which distributes the reward to the staking contract (from the vest) doesn't enforce any time gap b/w calls and is callable by the public
This allows a user to invoke the distribute function in the lowest possible interval (ie. block period == 12s) which would yield the lowest reward which could result to a reward rate of 0 (or a significant loss) depending on the other configurations like reward duration, total staked amount and the vesting parameters
Example POC
The following test shows a possible loss of > 0.5% for the same:
function testRewardNullify() public {
// 10million totalSupply, 5% return, 500k worth of mkr. 500k worth mkr = 500k/ 3k == 166mkr
uint reward = 250e18;
uint yearTime = 365 days;
// for 12 second, reward
uint perBlock = reward * 12 / yearTime;
uint rewardRate = perBlock / 7 days;
uint daiSupply = 1e25;
uint rewardPerToken = rewardRate * 12 * 1e18 / daiSupply;
assert(rewardPerToken == 125);
// == 125, possible loss is 1 due to rounding, so loss % = 1/125 * 100 > 0.5%
}
Impact
A sizeable portion of the reward tokens can be lost
hash
Medium
Lack of time gap restrictions on the
distribute
call allows for sizeable loss on the rewarded distributionSummary
Lack of time gap restrictions on the
distribute
call allows for sizeable loss on the rewarded distributionVulnerability Detail
The
distribute
function which distributes the reward to the staking contract (from the vest) doesn't enforce any time gap b/w calls and is callable by the publicThis allows a user to invoke the distribute function in the lowest possible interval (ie. block period == 12s) which would yield the lowest reward which could result to a reward rate of 0 (or a significant loss) depending on the other configurations like reward duration, total staked amount and the vesting parameters
Example POC
The following test shows a possible loss of > 0.5% for the same:
Impact
A sizeable portion of the reward tokens can be lost
Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/endgame-toolkit/src/VestedRewardsDistribution.sol#L152
Tool used
Manual Review
Recommendation
Enforce a timegap b/w the distributions