Closed code423n4 closed 3 years ago
simomonica1997@gmail.com
s1m0
0x9b3E9e3E4a174d59279FC7cd268e035992412384
The owner can initialize an already initialized tranche by calling setTranche https://github.com/code-423n4/marginswap/blob/main/contracts/IncentiveDistribution.sol#L78 with 0 as share argument and then calling initTranche https://github.com/code-423n4/marginswap/blob/main/contracts/IncentiveDistribution.sol#L101 bypassing the check require(tm.rewardShare == 0, "Tranche already initialized");
Check share != 0 for setTrancheShare and initTranche
The state of the system would become not correct by inflating the allTranches variable and it would raise the gas cost for calling withdrawReward
Manual analysis
Assuming the 1 tranche is initialized.
Duplicate of #35
Email address
simomonica1997@gmail.com
Handle
s1m0
Eth address
0x9b3E9e3E4a174d59279FC7cd268e035992412384
Vulnerability details
The owner can initialize an already initialized tranche by calling setTranche https://github.com/code-423n4/marginswap/blob/main/contracts/IncentiveDistribution.sol#L78 with 0 as share argument and then calling initTranche https://github.com/code-423n4/marginswap/blob/main/contracts/IncentiveDistribution.sol#L101 bypassing the check require(tm.rewardShare == 0, "Tranche already initialized");
Recommended mitigation steps
Check share != 0 for setTrancheShare and initTranche
Impact
The state of the system would become not correct by inflating the allTranches variable and it would raise the gas cost for calling withdrawReward
Tools used
Manual analysis
Proof of concept
Assuming the 1 tranche is initialized.