Lines of code

Vulnerability details

Impact

The MEV opportunity created robs the honest users who deposit before the start of a reward cycle. Leading to loss of rewards for said users.

Proof of Concept

A user deposits AVAX into tokenggAVAX.sol and in return gets an lp token to represent their deposit. Initially, lp token’s value trades at 1:1 against AVAX. However, as rewards are distributed, the value of lp token increases as you can claim initial deposit + rewards earned. If user A deposits their AVAX at the beginning of a reward cycle(14 days), they will wait 14 days until the rewards are released and are able to burn their lp tokens for initial deposit + reward. However, user B can simply deposit AVAX just before the end of a reward cycle and claim rewards without having to wait for 14 days. The reward amount calculated in lastRewardsAmt will be shared between user A and user B even though one staked for a full reward cycle and the latter only deposited after. This is possible because all depositors are treated equally. A user who deposits while a reward cycle is going on should not receive the same reward as a user who deposits before a reward cycle starts.

Tools Used

Manual

Recommended Mitigation Steps

Check if a user deposited before a rewards cycle or after. If they deposited before the start of the most recent rewards cycle, they should be eligible for rewards distributed after the end of the most recent rewards cycle else they are eligible for the next rewards cycle.

The text was updated successfully, but these errors were encountered:

All reactions