StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration, which breaks reward logic #51
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/rewards/StakingRewards.sol#L225-L232
Vulnerability details
Impact
Similar to code-423n4/2022-02-concur-findings#223.
notifyRewardAmount will be inoperable if rewardsDuration bet set to zero. If will cease to produce meaningful results if rewardsDuration be too small or too big.
Proof of Concept
The setter do not control the value, allowing zero/near zero/enormous duration:
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/rewards/StakingRewards.sol#L225-L232
Division by the duration is used in notifyRewardAmount:
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/rewards/StakingRewards.sol#L189-L195
Tools Used
None
Recommended Mitigation Steps
Check for min and max range in the rewardsDuration setter, as too small or too big rewardsDuration breaks the logic
The text was updated successfully, but these errors were encountered: