stake before unfreeze can take away most of rsr rewards in the freeze period #11
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-08
primary issue
Highest quality submission among a set of duplicates
rainout
Used to specify findings that came in during the rained-out audit
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
Lines of code
https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/StRSR.sol#L222-L232
Vulnerability details
If the system is frozen, the only allowed operation is
stRST.stake
. And the_payoutRewards
is not called during freeze period:So the
payoutLastPaid
stays before the freeze period. But when the system is unfreezed, accumulated rewards will be released all at once because the block.timestamp leapt the whole freeze period.Impact
A front runner can stake huge proportion rsr before admin unfreezes the system. And the attacker can get most of rsr rewards in the next block. And he only takes the risk of the
unstakingDelay
period.Proof of Concept
Assumption: there are 2000 rsr stake in the stRSR, and there are 1000 rsr rewards in the
rsrRewardsAtLastPayout
with a 1 year half-life period.And at present, the LONG_FREEZER
freezeLong
system for 1 year(default).After 1 year, at the unfreeze point, a front runner stake 2000 rsr into stRSR. And then the system is unfreeze. And in the next blcok,the front runner unstakes all the stRSR he has for
2250 rsr = 2000 principal + 1000 / 2 / 2 rsr rewards
.The only risk he took is
unstakingDelay
. The original rsr stakers took the risk of the whole freeze period +unstakingDelay
but only got a part of rewards back.Tools Used
Manual review
Recommended Mitigation Steps
payoutRewards before freeze and update payoutLastPaid before unfreeze.
Assessed type
Access Control
The text was updated successfully, but these errors were encountered: