When a new reward is added to the staking contract, the start time could be set to a point in the past. This is meant to reward existing stakers. However, the reward amount for those stakers is based solely on their shares, not the time staked.
This allowed an attacker to front-run any reward being added with a large sum of funds and claim a majority of the existing stakers' rewards.
Report was a duplicte.