J4de - `StakingRewards.setRewardsDuration` will change the duration of an existing reward distribution

[sherlock-admin2]

J4de

Medium

StakingRewards.setRewardsDuration will change the duration of an existing reward distribution

Summary

StakingRewards.setRewardsDuration will change the duration of an existing reward distribution

Vulnerability Detail

The setRewardsDuration function is used to update the rewardsDuration global variable. If the current reward has not ended, setRewardsDuration will update the end time of the current reward. This leads to the possibility that it may affect the legitimacy of current rewards. For example.

1. The current rewardsDuration is 30 days, so the amount of rewards added each time is the amount of 30 days
2. There is currently a reward, 1 day has been allocated and 29 days are left
3. The admin calls setRewardsDuration to update rewardsDuration to 5 days, and the amount of rewards added each time in the future is 5 days
4. The current reward rate will increase by 29/5 = 5.8 times

Even if future rewards are reasonable, the current reward rate becomes unreasonable.

Impact

The reward rate becomes unreasonable and users may take the opportunity to arbitrage.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/synthetix/StakingRewards.sol#L175-L177

Tool used

Manual Review

Recommendation

Before updating rewardsDuration, make sure there is no reward currently.

[telome]

This is expected behaviour and is just how the farm distribution works. Also exists in the original SynthetixRewards contract, so out of scope.