Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2021-11-YAXIS-FINDINGS-ISSUES-67
HistoryNov 18, 2021 - 12:00 a.m.

Transmuter yield can be gamed by only staking when yield is distributed

2021-11-1800:00:00
Code4rena
github.com
4
JSON

Handle

cmichel

Vulnerability details

The Transmuter.distribute function distributes the yield to the buffer which is then distributed to all stakers over a TRANSMUTATION_PERIOD, see runPhasedDistribution and updateAccount.

If the elapsed time from the last phase distribution is greater than the TRANSMUTATION_PERIOD, the entire buffer is allocated.

If the distribute calls happen infrequently (less frequently than a TRANSMUTATION_PERIOD lasts), a user can deposit their alToken into the Transmuter and have these debt tokens converted to the underlying, essentially earning a yield.
Afterwards, if there is no yield in the buffer, there’s no reason to be staked in the Transmuter and the alTokens can be used to farm yield somewhere else.

Impact

The reward system can be gamed.

Recommended Mitigation Steps

The harvesting & distribute calls should happen very frequently and the TRANSMUTATION_PERIOD should probably be set higher than 50 seconds.

The text was updated successfully, but these errors were encountered:

All reactions

JSON