This repository has been archived by the owner on Jan 12, 2025. It is now read-only.
Honour - Anyone can prevent pools from being bribable #273
Comments
github-actions
bot
added
the
Excluded
0xSmartContract
added
Medium
sherlock-admin4
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Honour
Medium
Anyone can prevent pools from being bribable
Summary
A malicious actor can prevent any pool from being bribable
Vulnerability Detail
Anyone can create a bribe rewarder from the rewarder factory with any reward token for any pool and register it. Because each pool has a maximum of 5 bribe rewarders per epoch and there're no restrictions on the reward token or pool to register to , that means that anyone(or someone with incentive to want a specific pool to be voted for or to not be voted for) can literally create a token and a bunch of rewarders with said token to fill a pool's
bribesPerPeriod, disincentivizing voters from voting for that sepcific pool.Impact
malicious briber can disincentivize voters from voting for other pools by registering rewarders with dust reward tokens
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/RewarderFactory.sol#L109-L113
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L130-L144
Tool used
Manual Review
Recommendation
There isn't any clear way to prevent someone from registering any rewarder on any pool ,however bribeRewarder reward tokens can be restricted to known/whitelisted tokens to atleast make it exponsive to do so.
Duplicate of #190
The text was updated successfully, but these errors were encountered: