Part of the reward tokens can be permanently frozen in extreme cases.

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-02-uniswap-foundation/blob/5a2761c8277541a24bc551fbd624413b384bea94/src/UniStaker.sol#L230

Vulnerability details

Impact

In extreme cases, a portion of the reward tokens may be permanently frozen, particularly when there are no Uni tokens staked.

Assessing the vulnerability as Medium or Low (info) is challenging due to the lack of explicit discussion about scenarios where TotalStaked == 0. The reality is that when TotalStaked == 0, reward tokens are effectively "burned" (i.e., distributed to no one) and thus become frozen.

The question of whether this issue should be considered a vulnerability is subject to debate. I classify it as Medium because I believe a straightforward/simple solution exists to prevent such permanent freezing.

Proof of Concept

It's important to note that the absence of staked Uni tokens (TotalStaked == 0) prevents any increase in rewardPerTokenAccumulatedCheckpoint.

Two scenarios could lead to this issue:

First, if there are no staked tokens and a notifier calls notifyRewardAmount, the reward tokens will be distributed to no recipient.

Second, if the last stakeholder withdraws their entire deposit, rewardPerTokenAccumulatedCheckpoint ceases to increase, despite increases in block.timestamp and lastCheckpointTime. This situation results in the reward tokens being frozen.

Recommended Mitigation Steps

The straightforward and easiest strategy is to ensure that 1) notifyRewardAmount cannot be invoked when TotalStaked == 0, and 2) withdrawals cannot deplete all staked tokens.

Note that, these measures (two simple checks) incentivize MEV bots to deposit at least 1 Wei of Uni Token.

Assessed type

Other

[c4-judge]

MarioPoneder marked the issue as duplicate of #9

[c4-judge]

MarioPoneder marked the issue as duplicate of #369

[c4-judge]

MarioPoneder marked the issue as unsatisfactory:
Invalid