Integer Division Rounding in Reward Distribution Enables Malicious Reward Redirection and Protocol Sabotage
Integer division per pool truncates to zero when distribution is called with small block deltas. A malicious actor calling rewardDistribution every block routes 100% of emissions to the owner-only dust accumulator, starving stakers.
Description
The MatChain protocol's reward distribution mechanism contains a critical vulnerability where integer division rounding errors can be exploited to divert rewards from legitimate stakers to the dust accumulator. A malicious actor can exploit this vulnerability by frequently calling the rewardDistribution() function with small block intervals, causing nearly all rewards to be redirected as dust that only the contract owner can claim.
The vulnerability stems from the integer division operations in the reward distribution calculations. When rewards are distributed in small amounts (per block), the integer division rounds down to zero for individual pool rewards, causing all rewards to accumulate as dust rather than being distributed to stakers.
This creates two significant issues:
- Legitimate stakers receive significantly fewer rewards than they should.
- The dust accumulator, which is only accessible to the contract owner, collects an unfair proportion of rewards.
In the worst-case scenario demonstrated by our PoC, a malicious actor can cause 100% of rewards to be diverted to dust by calling the distribution function every block.
Impact
Test results in the PoC show that in the normal operation scenario, rewards are distributed correctly to all pools with 0% dust. However, in the attack scenario (calling distribution every block for 10 blocks), 100% of rewards go to dust and 0% reach the staking pools.
=== Attack Impact ===Increase in dust percentage: 100%=== Per-Pool Impact (normalized) ===Pool 1 reward loss: 100%Pool 2 reward loss: 100%Pool 3 reward loss: 100%
This proves a malicious actor can completely subvert the reward distribution mechanism by calling it frequently with small block intervals, causing all rewards to be redirected to dust.
Recommendation
To mitigate this vulnerability, we recommend implementing the following changes:
-
Enforce Minimum Distribution Intervals: a. Implement a minimum number of blocks (e.g., 100) that must pass between reward distributions. b. Store the last distribution block and revert if the minimum interval hasn't passed.
-
Use Fixed-Point Arithmetic: a. Replace integer division with fixed-point arithmetic to minimize rounding errors. b. Store "remainder" values for each pool and include them in the next distribution.
