Initial rewards may be lost when the total staked UNI tokens is zero.

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L570-L599

Vulnerability details

Once the protocol fees for a pool have been purchased, the amount is sent to the unistaker.sol, and then notifyRewardAmount() is called. This function calculates the reward rate per second and also records the start of the reward period. The issue here will occur at the beginning stages of the protocol if no UNI holder has staked their token yet but an auction has already been done to buy a pool's fees.

  function notifyRewardAmount(uint256 _amount) external {
    if (!isRewardNotifier[msg.sender]) revert UniStaker__Unauthorized("not notifier", msg.sender);


    // We checkpoint the accumulator without updating the timestamp at which it was updated, because
    // that second operation will be done after updating the reward rate.
    rewardPerTokenAccumulatedCheckpoint = rewardPerTokenAccumulated();


    if (block.timestamp >= rewardEndTime) {
      scaledRewardRate = (_amount * SCALE_FACTOR) / REWARD_DURATION;
    } else {
      uint256 _remainingReward = scaledRewardRate * (rewardEndTime - block.timestamp);
      scaledRewardRate = (_remainingReward + _amount * SCALE_FACTOR) / REWARD_DURATION;
    }


    rewardEndTime = block.timestamp + REWARD_DURATION;
    lastCheckpointTime = block.timestamp;


    if ((scaledRewardRate / SCALE_FACTOR) == 0) revert UniStaker__InvalidRewardRate();


    // This check cannot _guarantee_ sufficient rewards have been transferred to the contract,
    // because it cannot isolate the unclaimed rewards owed to stakers left in the balance. While
    // this check is useful for preventing degenerate cases, it is not sufficient. Therefore, it is
    // critical that only safe reward notifier contracts are approved to call this method by the
    // admin.
    if (
      (scaledRewardRate * REWARD_DURATION) > (REWARD_TOKEN.balanceOf(address(this)) * SCALE_FACTOR)
    ) revert UniStaker__InsufficientRewardBalance();


    emit RewardNotified(_amount, msg.sender);
  }

This function determines the number of tokens to be given as a reward per unit of time (in seconds) and records the duration of the reward cycle. However, there is a unique situation where rewards are not tallied during the initial time span until there is at least one participant (a UNI holder). In this initial period, the reward rate remains applicable, but since there are no participants, no one can claim these rewards, resulting in the loss of these rewards within the system.

This issue has been discovered before, here is a reference for a better understanding
0xMacro Blog-Synthetix

Impact

Rewards allocated for distribution to stakers will be lost in the system.

Tools Used

Manual Review

Recommended Mitigation Steps

UniStaker.sol should account for when totalStaked == 0 and should only begin rewards distribution after the first UNI holder has staked

Assessed type

Math

[c4-judge]

MarioPoneder marked the issue as duplicate of #9

[c4-judge]

MarioPoneder marked the issue as duplicate of #369

[c4-judge]

MarioPoneder marked the issue as unsatisfactory:
Invalid