Rewards accrued before first deposit will remain stuck forever

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L570

Vulnerability details

Impact

A vulnerability in the in the UniStaker contract can cause rewards to become permanently locked if they are notified before any deposits have been made into the pool. This means that rewards allocated during this period are irretrievable, due to the contract's inability to distribute these early rewards.

As a result, these funds cannot be claimed by any participants or returned, leading to a loss of funds intended as rewards.

Proof of Concept

Take the following example scenario:

1. Initially, the contract has no staked tokens (totalStaked = 0)
2. Rewards notifier calls UniStaker#notifyRewardAmount(30 WETH) which results in scaledRewardRate = 1 WETH:

scaledRewardRate = 30 WETH / 30 days = 1 WETH/day

3. 20 days pass without any staking activity.
4. Alice stakes some WETH on day 20.
5. 10 days pass and rewardEndTime is reached.
6. Alice claims her share, calculated to be 10 WETH for her 10-day staking period:

Alice's Reward = 1 WETH/day * 10 days = 10 WETH

However, the 20 WETH of rewards from the first 20 days remain unclaimed and are stuck in the contract forever.

Tools Used

Manual Review

Recommended Mitigation Steps

To prevent rewards from becoming locked in the contract before any staking activity, the contract should revert calls to UniStaker#notifyRewardAmount() when there are no active stakers.

This approach ensures that rewards cannot be notified prematurely, avoiding the issue of locked rewards.

Assessed type

Error

[c4-judge]

MarioPoneder marked the issue as duplicate of #9

[c4-judge]

MarioPoneder marked the issue as duplicate of #369

[c4-judge]

MarioPoneder marked the issue as unsatisfactory:
Invalid