Ancient Neon Koala
Medium
The CGDAIncentive contract will report an inflated reward when the underlying token is paused, causing unfair loss of claims for some participants.
The specifications of the protocol state that Protocol should work with all native and ERC20 tokens that adhear to standard including weird tokens. This includes tokens which can be paused (such as BNB).
The CGDAIncentive contract linearly increases the claimable reward as time elapses:
function currentReward() public view override returns (uint256) {
uint256 timeSinceLastClaim = block.timestamp - cgdaParams.lastClaimTime;
uint256 available = asset.balanceOf(address(this));
// Calculate the current reward based on the time elapsed since the last claim
// on a linear scale, with `1 * rewardBoost` added for each hour without a claim
uint256 projectedReward = cgdaParams.currentReward + (timeSinceLastClaim * cgdaParams.rewardBoost) / 3600;
return projectedReward > available ? available : projectedReward;
}However, it fails to account for the circumstance that the underlying token is paused, in which case the reward will continue to inflate as claims will not be possible during this time.
If tokens are paused for extended periods of time, the first claimers upon unpausing the token will earn an outsized reward. But the total balance of the incentive contract is divided upon a first-come first-serve basis, so the later participants will not have any remaining claimable balance.
This causes loss of funds for most ordinary users as the ones who respond most quickly to the unpausing of the token will be automated, putting normal users at a disadvantage.
Manual Review
Consider including a push-pull model where claims can be acknowledged even when paused, with transfers claimed in a separate call. Alternatively consider including some means of checking if the contract is paused or having a mechanism for admin to forcefully pause the inflation of rewards during this time period.