web3pwn - The limitation of bribing for the pool leads to denial of service condition

[sherlock-admin4]

web3pwn

Medium

The limitation of bribing for the pool leads to denial of service condition

Summary

The limit of five bribers per pool can cause a denial of service, preventing legitimate bribers from providing rewards if periods are already saturated by other bribers.

Vulnerability Detail

The limitation of bribing for the pool to a maximum of five bribers leads to a denial of service condition. Legitimate bribers who wish to provide rewards might be prevented from doing so if the given periods are saturated by other bribers.

Issue Scenario:

1. Five bribers provide rewards for period 5.
2. A new briber wants to start providing bribes for periods 1-20.
3. The briber cannot do this because the logic will iterate over all periods and revert at period 5 since it is already saturated.

Impact

A legitimate briber cannot provide bribes in the form of rewards for the specified periods.

Code Snippet

• https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L137-L144
• https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L141

Tool used

Manual Review

Recommendation

It is recommended to redesign the logic so that bribers can add bribe rewards without being affected by other bribers.

Duplicate of #190