Lines of code

Vulnerability details

This one was reported in the first contest, it was mitigated but a code change that was made since then brings it back again.

Impact

Users who stake while frozen would get a share of the rewards for the period since the last call to payoutRewards().

This means that in a case of a long freeze (e.g. a week or a few weeks) - users who stake right before the freeze ends would get a reward as if they’ve staked before the freeze started. This comes at the expense of the stakers who have staked before the freezing begun.

Proof of Concept

While frozen the _payoutRewards() isn’t called:

    function stake(uint256 rsrAmount) public {
        require(rsrAmount > 0, "Cannot stake zero");

        if (!main.frozen()) _payoutRewards();

Not paying out the rewards meaning that the next time _payoutRewards() would be called the stakers would get a reward as if they’ve staked at the last time it was called.

Recommended Mitigation Steps

Consider paying out rewards also while frozen

Assessed type

Other

---

The text was updated successfully, but these errors were encountered:

👀 1 0xean reacted with eyes emoji

All reactions

• 👀 1 reaction