search

sherlock-audit / 2024-07-kwenta-staking-contracts-judging

4 stars 4 forks source link

unique - Zero RewardRate will Halt Reward Distribution for Stakers #146

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

unique

High

Zero RewardRate will Halt Reward Distribution for Stakers

Vulnerability Detail

If the notifyRewardAmount() function is called with a zero _reward amount, and the first if condition passes, the code will execute rewardRate = 0 / rewardsDuration; resulting in rewardRate being set to zero. Consequently, all functions dependent on rewardRate will yield incorrect values. For instance, the getRewardForDuration function will return zero.

Impact

  1. getRewardForDuration Function:

    • This function returns the total reward amount for the specified duration.
    • If rewardRate is zero, the returned reward amount will be zero (rewardRate * rewardsDuration).

  2. rewardPerToken Function:

    • When rewardRate is zero, the rewardPerToken calculation will not increase as the additional reward amount per token will be zero.
    • This means rewardPerTokenStored will remain the same over time until rewardRate is updated again.

  3. updateReward Modifier:

    • The _updateReward internal function, which updates the rewardPerTokenStored and lastUpdateTime, will effectively result in no changes to rewardPerTokenStored due to zero rewardRate.
    • Consequently, user rewards (rewards[_account] and rewardsUSDC[_account]) won't increase as rewardPerToken doesn't change.

Code Snippet

https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/main/token/contracts/StakingRewardsV2.sol#L645-L651

Tool used

Manual Review

Recommendation

There should be an if condition that reverts the transaction if rewardRate is set to zero.