Description

It is possible to perform an economically impractical, griefing-style attack that abuses the rounding down behavior of mul_div in disperse_all_payouts to ensure only those with a relatively high number of shares can receive a payout:

let payout_value = math::mul_div(
    delegator_shares_for_payout,
    reserve_balance,
    reserved_share_supply,
);

If the reserve_balance is low enough, delegators with few shares would receive zero payout while delegators with many shares would receive some. Dust is refunded to the reserve at the end of disperse_all_payouts, meaning repeated, quick calls to disperse_all_payouts would result in only high-value delegators getting payouts.

Impact

Malicious, high-value delegators (i.e., those with many shares) could cause lower-value delegators to not receive any payouts.

Recommendations

A potential solution could be to delay payout until a minimum reserve balance is met.

Remediation

Move Labs fixed this issue in commit ef89a88↗.