scammed - BribeRewarder unclaimed tokens remain locked due to missing functionality

[sherlock-admin4]

scammed

High

BribeRewarder unclaimed tokens remain locked due to missing functionality

Summary

According to the MagicSea documentation, the unclaimed rewards from BribeRewarders should be able to be claimed by the owner, but looking at the available functionality we can clearly see that there is no such functionality available.

Vulnerability Detail

Bribes

Bribes as an additional incentive to vote can be claimed 24-48 hours after an epoch has ended. Voters can claim the rewards until the next epoch is ended. Unclaimed rewards will be sent back to the briber.

Not full reward utilisation is a valid scenario and it can happen due to various factors:

• not enough incentive for the users to vote for the pool and opt-in for bribe rewards
• inactivity of users, since rewards can be claimed up to 48 hours after last period ended
• initial funding provided is more than the totalAmount, as the check is not strict:

function _bribe(uint256 startId, uint256 lastId, uint256 amountPerPeriod) internal {
        uint256 totalAmount = _calcTotalAmount(startId, lastId, amountPerPeriod);

        uint256 balance = _balanceOfThis(_token());

        if (balance < totalAmount) revert BribeRewarder__InsufficientFunds();
        ..MORE CODE
    }

All these can lead to scenarios when the balance of the BribeRewarder is not zero after the designated claim period, the issue is that the owner cannot claim the leftover tokens, since there is no functionality available, since the only place where _safeTransferTo is called is the _modify function that is tied only for tokenIds that have voted for the pool.

Impact

Unclaimed rewards will be forever locked in the bribe contract, the impact is even higher because single bribe is for single set of periods, after _lastVotingPeriod passes new contract must be deployed and funded, thus there is no way these locked tokens even to be used.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/rewarders/BribeRewarder.sol#L31

Tool used

Manual Review

Recommendation

Add owner-restricted sweep function to claim the locked tokens.

Duplicate of #172

[WangSecurity]

Now a duplicate of #172, based on #164 (comment) and #164 (comment) comments.