Reward can be locked in pool when initialize after startTime
#211
Labels
bug
Something isn't working
invalid
This doesn't seem right
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-05-aura/blob/4989a2077546a5394e3650bf3c224669a0f7e690/contracts/AuraBalRewardPool.sol#L205
Vulnerability details
Impact
startTime
anyone can callinitialiseRewards()
to initAuraBalRewardPool
.rewardRate
again.Proof of concept
duration
amount ofrewardToken
to the pool, just enough for the attack.startTime
, reward manager is going to init the reward pool. First he/she must transfer some amount ofrewardToken
into the pool.initialiseRewards()
. Now because it’s pass thestartTime
, attacker can call it and setrewardRate
to very low value (= 1 in this case).rewardToken
that reward manager transfer into will be locked there becauserewardRate
is set and noone can callinitialiseRewards()
again.Tools Used
Manual Review
Recommended Mitigation Steps
You can allow reward manager to update
rewardRate
. Of course, we have toupdateReward
first before recalculate the rate or add function to withdraw the left over.The text was updated successfully, but these errors were encountered: