-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewards are not rolled over #93
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
selected for report
This submission will be included/highlighted in the audit report
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Sep 16, 2022
liveactionllama
added
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
and removed
invalid
This doesn't seem right
labels
Oct 3, 2022
I see this as protocol leaked value since the rewards would be "lost" and isn't attributed to anyone. Currently, the sweeper function allows the reward token to be withdrawn, thus providing a form of recovery. However, #49 and its dups points out that this is a vuln, and if fixed, will remove this recovery. |
HickupHH3
added
the
selected for report
This submission will be included/highlighted in the audit report
label
Nov 1, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
selected for report
This submission will be included/highlighted in the audit report
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/rewards/StakingRewards.sol#L183
Vulnerability details
Impact
If there is no deposit for sometime in start then reward for those period is never used
Proof of Concept
Recommended Mitigation Steps
On very first deposit better to have (block.timestamp-startTime) * rewardRate amount of reward being marked unused which can be used in next notifyrewardamount
The text was updated successfully, but these errors were encountered: