Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If rewards are distributed before users start staking, a portion of the reward will become permanently stuck #131

Closed
c4-bot-4 opened this issue Mar 3, 2024 · 3 comments
Closed

If rewards are distributed before users start staking, a portion of the reward will become permanently stuck #131

c4-bot-4 opened this issue Mar 3, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-369 🤖_06_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-4
Copy link
Contributor

c4-bot-4 commented Mar 3, 2024

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L754-L755

Vulnerability details

The UniStaker._checkpointGlobalReward function is used to update the rewardPerTokenAccumulatedCheckpoint and the lastCheckpointTime storage variables.

function _checkpointGlobalReward() internal {
    rewardPerTokenAccumulatedCheckpoint = rewardPerTokenAccumulated();
    lastCheckpointTime = lastTimeRewardDistributed();
}

The issue arises from the fact that the rewardPerTokenAccumulated function returns an old value if totalStaked == 0 so the rewardPerTokenAccumulatedCheckpoint will not be updated in this case. However, the lastTimeRewardDistributed function returns block.timestamp if rewards are streaming at the moment so the lastCheckpointTime value might be updated. It means that if the contract is notified about the reward before the first user stakes, a portion of the reward becomes permanently stuck.

Impact

The portion of the reward will be permanently stuck if the contract is notified about the reward before the first user stakes.

Proof of Concept

The test below illustrates that the rewards streamed before the first user stakes are not distributed to anyone and become inaccessible.

function test_RewardDistributionBeforeStaking() external {
    uint256 amount = 1e18;
    _mintTransferAndNotifyReward(amount);
    
    assertEq(uniStaker.totalStaked(), 0);
    _jumpAhead(uniStaker.REWARD_DURATION()/2);
    
    address depositor = makeAddr("depositor");
    _mintGovToken(depositor, 1);
    
    vm.startPrank(depositor);
    govToken.approve(address(uniStaker), 1);
    uniStaker.stake(1, depositor);
    vm.stopPrank();
    
    assertEq(uniStaker.totalStaked(), 1);
    _jumpAhead(uniStaker.REWARD_DURATION() + 1);
    assertGe(uniStaker.unclaimedReward(depositor) + 1, amount);
}

Tools Used

Manual Review

Recommended Mitigation Steps

Perhaps, the fairest solution is to pause rewards streaming while totalStaked == 0. However, this solution requires additional logic and might be prone to new errors. The easiest way to prevent unnecessary funds loss is to ensure that the first staker will stake UNI tokens right after the contract deploying.

Assessed type

Other
@c4-bot-4 c4-bot-4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 3, 2024
c4-bot-5 added a commit that referenced this issue Mar 3, 2024
@c4-bot-5
alexfilippov314 issue #131
5353368
@c4-bot-12 c4-bot-12 added the 🤖_06_group AI based duplicate group recommendation label Mar 5, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 6, 2024

MarioPoneder marked the issue as duplicate of #9

@c4-judge c4-judge closed this as completed Mar 6, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Mar 7, 2024

MarioPoneder marked the issue as duplicate of #369

@c4-judge
Copy link
Contributor

MarioPoneder marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-369 🤖_06_group AI based duplicate group recommendation unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-bot-4 @c4-bot-12