StakingRewards.setRewardsDuration allows setting near zero or enormous rewardsDuration, which breaks reward logic #223
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
r2moon
added
the
sponsor confirmed
|
Finding is valid, ultimately contingent on admin privilege so I believe Medium Severity to be appropriate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol#L178-185
Vulnerability details
Impact
notifyRewardAmount will be inoperable if rewardsDuration bet set to zero. If will cease to produce meaningful results if rewardsDuration be too small or too big
Proof of Concept
The setter do not control the value, allowing zero/near zero/enormous duration:
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol#L178-185
Division by the duration is used in notifyRewardAmount:
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/StakingRewards.sol#L143-156
Recommended Mitigation Steps
Check for min and max range in the rewardsDuration setter, as too small or too big rewardsDuration breaks the logic
The text was updated successfully, but these errors were encountered: