Skip to content

Latest commit

 

History

History
50 lines (40 loc) · 1.44 KB

020.md

File metadata and controls

50 lines (40 loc) · 1.44 KB

Proud Tartan Lynx

Medium

Rewards May be Locked.

Summary

This contract provides rewards even when totalEarningPower is zero. These rewards will be locked in this contract.

Root Cause

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/GovernanceStaker.sol#L294 This contract provides rewards over time. If totalEarningPower is zero, this contract still provide rewards, because the lastCheckpointTime is updated current time. But there is no one to receive these rewards. As a result, these rewards will be locked in this contract.

Internal pre-conditions

N/A

External pre-conditions

N/A

Attack Path

N/A

Impact

Rewards may be locked in this contract.

PoC

GovernanceStaker.sol
294:    function lastTimeRewardDistributed() public view virtual returns (uint256) {
            if (rewardEndTime <= block.timestamp) return rewardEndTime;
            else return block.timestamp;
        }
748:    function _checkpointGlobalReward() internal virtual {
            rewardPerTokenAccumulatedCheckpoint = rewardPerTokenAccumulated();
            lastCheckpointTime = lastTimeRewardDistributed();
        }

Mitigation

294:    function lastTimeRewardDistributed() public view virtual returns (uint256) {
+           if (totalEarningPower == 0) return rewardEndTime;
            if (rewardEndTime <= block.timestamp) return rewardEndTime;
            else return block.timestamp;
        }