Fast Khaki Raccoon
High
Users can sandwich the reward accrual of TokenRewards
Depositing rewards in TokenRewards causes a stepwise jump in the reward per share which can be abused by users to avoid having to stake normally and simply take advantage of the accruals. There is no mechanism to defend against that, one such mechanism would be time like in the Synthetix staking protocol.
No response
No response
- Reward per share is 100 tokens
- Rewards will be deposited which results in the reward per share immediately going to 110
- A malicious user frontruns that, deposits 100 shares, his excluded rewards are now based on the 100 reward per share
- The reward deposit executes and reward per share goes to 110
- User immediately withdraws and gets a profit of 10 * 100 = 1000 tokens, completely risk-free
Risk-free profits for malicious users which are at the expense of honest stakers who will lose funds because of that.
No response
Implement some kind of a mechanism to guard against that, such as "vesting" the tokens over a period of time which is done in Synthetix. Alternatively, consider adding a delay between the deposit and withdrawal to make users at least have to stay staked for a certain period of time before withdrawing.