Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

slowfi - Fake Token Can Be Used To Block Real BribeRewarders #690

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

slowfi - Fake Token Can Be Used To Block Real BribeRewarders #690

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin2
Loading

slowfi

Medium

Fake Token Can Be Used To Block Real BribeRewarders

Summary

The Voter function allows a maximum of 5 BribeRewarders. This should incentivise the community to vote for certain pools. However creating a BribeRewarder is permissionless. Users may create BribeRewarders with fake tokens to block the entrance of real incentivicers to the system and there is no way to prevent it.

Vulnerability Detail

Anyone can create a BribeRewarder for a pool with a scam or fake token. This may achieve the exact opposite effect to the one desired.

Impact

This can prevent the system for operating as expected.

Code Snippet

Voter.sol#L130-L144

  function onRegister() external override {
      IBribeRewarder rewarder = IBribeRewarder(msg.sender);

      _checkRegisterCaller(rewarder);

      uint256 currentPeriodId = _currentVotingPeriodId;
      (address pool, uint256[] memory periods) = rewarder.getBribePeriods();
      for (uint256 i = 0; i < periods.length; ++i) {
          // TODO check if rewarder token + pool  is already registered

          require(periods[i] >= currentPeriodId, "wrong period");
          require(_bribesPerPriod[periods[i]][pool].length + 1 <= Constants.MAX_BRIBES_PER_POOL, "too much bribes");
          _bribesPerPriod[periods[i]][pool].push(rewarder);
      }
  }

Tool used

Manual Review

Recommendation

Allow the admin to erase fake BribeRewarder if detected.

Duplicate of #190
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin2 sherlock-admin2 changed the title Sneaky Neon Mole - Fake Token Can Be Used To Block Real BribeRewarders slowfi - Fake Token Can Be Used To Block Real BribeRewarders Jul 30, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3