search

sherlock-audit / 2024-07-kwenta-staking-contracts-judging

4 stars 4 forks source link

TessKimy - In Rewards Notifier, notifyRewardAmount is not correctly implemented #143

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

TessKimy

Medium

In Rewards Notifier, notifyRewardAmount is not correctly implemented

Summary

Staking rewards configured wrongly in Rewards Notifier contract.

Vulnerability Detail

Based on the system mechanism, supply scheduler can schedule a staking reward event when a new minting occur on supply schedule. 

        kwenta.mint(treasuryDAO, amountToTreasury);
        kwenta.mint(address(tradingRewards), amountToTradingRewards);
        kwenta.mint(address(stakingRewards), amountToStakingRewards);
&>      stakingRewards.notifyRewardAmount(amountToStakingRewards);
        kwenta.mint(msg.sender, minterReward);
    }

This amountToStakingRewards parameter is not used in the Reward Notifier contract:

function notifyRewardAmount(uint256 mintedAmount) external onlySupplySchedule {
        uint256 currentBalance = kwenta.balanceOf(address(this));
        kwenta.transfer(address(stakingRewardsV2), currentBalance);
        uint256 currentBalanceUsdc = usdc.balanceOf(address(this));
        usdc.transfer(address(stakingRewardsV2), currentBalanceUsdc);

&>      stakingRewardsV2.notifyRewardAmount(currentBalance, currentBalanceUsdc);
    }

Instead, it directly creates a staking rewards event using current Kwenta balance. Based on the main functionality, this value should be equal to mintedAmount. In the end, anyone can change and increase this staking rewards by sending some Kwenta.

Impact

Anyone can increase reward amount Wrong main system functionality

Code Snippet

https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/main/token/contracts/StakingRewardsNotifier.sol#L88C1-L95C6

function notifyRewardAmount(uint256 mintedAmount) external onlySupplySchedule {
        uint256 currentBalance = kwenta.balanceOf(address(this));
        kwenta.transfer(address(stakingRewardsV2), currentBalance);
        uint256 currentBalanceUsdc = usdc.balanceOf(address(this));
        usdc.transfer(address(stakingRewardsV2), currentBalanceUsdc);

        stakingRewardsV2.notifyRewardAmount(currentBalance, currentBalanceUsdc);
    }

Tool used

Manual Review

Recommendation

Forwarding the mintedAmount parameter to Staking Reward will fix the functionality.