Skip to content
This repository was archived by the owner on Jan 12, 2025. It is now read-only.

KupiaSec - BribeRewarder has no sweeping mechanism #586

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Closed

KupiaSec - BribeRewarder has no sweeping mechanism #586

sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by WangSecurity
Loading

KupiaSec

High

BribeRewarder has no sweeping mechanism

Summary

If nobody votes for a certain pool during an voting peoriod, some bribe reward will be left in the BribeRewarder. However, there is no
sweeping mechanism in the BribeRewarder.

Vulnerability Detail

If nobody votes for a certain pool during an voting peoriod, totalDeposit at L37 is 0. So, bribe rewards for the epoch is not given to anybody.

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/libraries/Rewarder2.sol#L37-L39

37:     function getDebtPerShare(uint256 totalDeposit, uint256 totalRewards) internal pure returns (uint256) {
38:         return totalDeposit == 0 ? 0 : (totalRewards << Constants.ACC_PRECISION_BITS) / totalDeposit;
39:     }

So, the bribe rewards will be left in the BribeRewarder, and they will be frozen, because there is no sweeping mechanism in the BribeRewarder.

Impact

Some Bribe rewards will be frozen in the BribeRewarder.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/libraries/Rewarder2.sol#L37-L39

Tool used

Manual Review

Recommendation

BribeRewarder should have an sweeping function.

Duplicate of #172
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@0xSmartContract 0xSmartContract added High A High severity issue. and removed Medium A Medium severity issue. labels Jul 29, 2024
@sherlock-admin4 sherlock-admin4 changed the title Smooth Taffy Moth - BribeRewarder has no sweeping mechanism KupiaSec - BribeRewarder has no sweeping mechanism Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Jul 31, 2024
Open
@WangSecurity
Copy link

Now a duplicate of #172, based on #164 (comment) and #164 (comment) comments.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@0xSmartContract @WangSecurity @sherlock-admin3 @sherlock-admin4