Closed sherlock-admin4 closed 1 month ago
Not an issue. From the rules: "Governance configurations are assumed to be set with extreme care. Lack of sanity check issues are not viable submissions. Governance is assumed as non-malicious with regards to all matters."
bareli
Medium
StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration`, which breaks reward logic
Summary
rewardsDuration cab be set to zero and notifyRewardAmount will cease to produce meaningful results if rewardsDuration is too small or too big.
Vulnerability Detail
The setter does not control the value, allowing zero/near zero/enormous duration: function setRewardsDuration(uint256 rewardsDuration) external onlyOwner updateReward(address(0)) { uint256 periodFinish = periodFinish; if (block.timestamp < periodFinish) { uint256 leftover = (periodFinish - block.timestamp) * rewardRate; rewardRate = leftover / _rewardsDuration; periodFinish = block.timestamp + _rewardsDuration; }
Impact
notifyRewardAmount will fail if rewardsDuration is too small or too big.
Code Snippet
https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/synthetix/StakingRewards.sol#L172
Tool used
Manual Review
Recommendation
Check for min and max range in the rewardsDuration setter, as too small or too big rewardsDuration breaks the logic.