PHOAM-016: Adversaries can steal staking rewards
Closed this issue · 1 comments
Location
./contracts/stake_rewards/src/contract.rs:139
Description
Anyone can claim staking rewards without effectively staking funds.
Adversaries can bond funds just before withdrawing rewards and unbond immediately after.
The issue lies in the withdrawable_rewards function, which computes the rewards available for a user by querying the user's stakes directly from the staking contract, without considering the timing or existence of those stakes in the stake_rewards contract.
Since this function feeds the withdraw_rewards function with the available rewards information, anyone can stake at any time and claim rewards as long as the contract has sufficient rewards balance.
Recommendation
Ensure that the date/time of staking is considered when distributing rewards, or track bonds separately in the staking_rewards contract.
Add adversarial tests to ensure that adversaries cannot bypass the intended business logic.
already solved