The rewards may have been partially stolen.
Vulnerability Details
The DuctLock contract currently permits a new reward to be added to the next epoch when the notifyRewardAmount function is invoked. This allows individuals to create locks before the new epoch and subsequently claim a portion of the newly added reward. The potential for exploitation increases with larger reward amounts due to the ability to optimize the timing
and size of token locks.
Attackers can optimise the attack by initially creating small locks at the beginning of each epoch and subsequently increasing the amount of tokens in locks that are closest to expiration after a significant reward is added.
Attack scenario
The attackers might take the following steps in sequence:
- Initiate locks with a minimal amount weekly with a month duration (greater durations lead to larger reward theft).
- Upon a substantial reward addition, increase the token amount in the lock nearing expiration just before the current epoch concludes.
- Claim rewards in the following epoch.
- Due to the increased token amount in the lock, a significant portion of the added reward is obtained.
Note: Attackers may also create a new lock after step 2, but a 4-week waiting period is required to withdraw tokens.
Impact
MEDIUM – Part of the rewards are stolen.
Recommendation
- Restrict the increase of token amounts for locks that are set to expire before the minimum duration.
- Modify the lock creation process to allow claiming rewards from the subsequent epoch instead of the current one.
- Assess the possibility of smoothing out the rewards deposited into the
RevenueRewardcontract.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
