Platform: Code4rena
Start Date: 04/01/2022
Pot Size: $25,000 USDC
Total HM: 3
Participants: 40
Period: 3 days
Judge: Ivo Georgiev
Total Solo HM: 1
Id: 75
League: ETH
Rank: 34/40
Findings: 1
Award: $30.27
π Selected for report: 0
π Solo Findings: 0
30.2712 USDC - $30.27
StErMi
This does not exploit in any way funds/rewards but more how users could exploit this system to maximize rewards without being exposed to the lock period (or at least to the min lock period).
Because the system allows 0-time lock (you could be able to lock and unlock with any timelock but with a lower unit multiplier). In general, it all depends on how frequently the updateDistribution (I assume that it will be called after a reward transfer towards the staking contract) and if there are locking options with a timeframe lower updateDistribution timing.
In this scenario, a user would frontrun the transwer XDEFI reward amount + updateDistribution transaction, lock their tokens with 0 duration, and unlock it after the _pointsPerUnit has been updated by updateDistribution.
In this scenario, they are maximizing how much they can get from the rewards without exposing too much to the possible downside of locking (the value of XDEFI could crash).
In the case where there are no options to have 0 lock duration, the scenario could be still exploitable if the updateDistribution timing is known. If for example, you can lock at min for 1h and you know that transfer XDEFI reward amount + updateDistribution is called each day at 12 pm, I could lock it at 11 pm and unlock it at 12:01 pm.
Manual
I don't have the perfect solution because I think that it's instinct with the design of the reward mechanism. Here's a list of possible options that I can suggest but needs to be validated.
0 lock durationbonusMultiplierOf >= of transfer XDEFI reward amount + updateDistribution timing (if there's a timing to update the reward distribution)updateDistribution since the lock period#0 - deluca-mike
2022-01-09T06:34:01Z
Technically valid, but this was expected, and we disagree with severity, as explained in the duplicate issue #30.
And specifically with this idea of front-running, that was also perfectly acceptable, and unavoidable. Just like dividends for an equity, if dividends are announced, anyone can jump into the stock before the "snapshot" (ex-dividend date) to claim rewards. Allowing a 0-duration lock (which is not enabled by default) is at XDEFI's discretion. Further, even if we disable 0-duration locks, people can still front-run a distribution. The idea is the XDEFI will enable durations that make sense. Obviously the lower the duration, the easier it is for people to front-run reward distributions without long commitments. This was expected, and frankly, obvious.