In NeoTokyoStaker, BYTES token can be staked into a Citizen. First, the Citizen must be staked, it will be locked for a timelock duration in Staking contract. Staker want to stake BYTES can specify this Citizen ID and stake into it.
However, when users stake into a Citizen, it did not extend the timelock. As the result, attacker can abuse this to manipulate totalPoints, making other stakers receive less rewards.
Attacker will stake any Citizen and wait after timelockEndTime to execute the attack. Now consider the scenario when Alice (a normal user) claims her reward
Manual Review
Consider extending timelock duration when stakers stake BYTES into Citizen.
The text was updated successfully, but these errors were encountered:
All reactions