search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

bareli - StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration`, which breaks reward logic #54

Closed sherlock-admin4 closed 1 month ago

sherlock-admin4 commented 1 month ago

bareli

Medium

StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration`, which breaks reward logic

Summary

rewardsDuration cab be set to zero and notifyRewardAmount will cease to produce meaningful results if rewardsDuration is too small or too big.

Vulnerability Detail

The setter does not control the value, allowing zero/near zero/enormous duration: function setRewardsDuration(uint256 rewardsDuration) external onlyOwner updateReward(address(0)) { uint256 periodFinish = periodFinish; if (block.timestamp < periodFinish) { uint256 leftover = (periodFinish - block.timestamp) * rewardRate; rewardRate = leftover / _rewardsDuration; periodFinish = block.timestamp + _rewardsDuration; }

    rewardsDuration = _rewardsDuration;
    emit RewardsDurationUpdated(rewardsDuration);
}

Impact

notifyRewardAmount will fail if rewardsDuration is too small or too big.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/synthetix/StakingRewards.sol#L172

Tool used

Manual Review

Recommendation

Check for min and max range in the rewardsDuration setter, as too small or too big rewardsDuration breaks the logic.

telome commented 1 month ago

Not an issue. From the rules: "Governance configurations are assumed to be set with extreme care. Lack of sanity check issues are not viable submissions. Governance is assumed as non-malicious with regards to all matters."