J4de - After `StakingRewards` is paused, new rewards can still be added, resulting in rewards being claimed by existing stakers

[sherlock-admin4]

J4de

Medium

After StakingRewards is paused, new rewards can still be added, resulting in rewards being claimed by existing stakers

Summary

After StakingRewards is paused, new rewards can still be added, resulting in rewards being claimed by existing stakers.

Vulnerability Detail

The StakingRewards contract can be paused. The only function affected is stake. Once the contract is paused, users will not be able to stake, but everything else remains normal.

When the contract is paused, the notifyRewardAmount function is still available. That is, the rewards are still being distributed. These rewards will flow into a small number of existing stakers, and others cannot claim these rewards by staking. In addition, the contract pause causes users to withdraw, making the existing stakers more profitable.

Impact

The distribution of StakingRewards will become unreasonable, and the staking rewards will flow into a small number of existing stakers.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/synthetix/StakingRewards.sol#L144

Tool used

Manual Review

Recommendation

After the contract is paused, new rewards should be stopped.

[telome]

Governance is expected to stop rewards distribution if it wishes so, regardless of whether farm deposits are stopped or not. Even if there is a mistake or negligence, several days of redundant rewards distribution is not a significant issue.