In NFTXLPStaking.sol, deposit(), exit(), withdraw(), claimRewards() and other related functions that take a vaultID as parameter perform a pool existence check on the staking pool associated with that vaultID. However, balanceOf is missing a similar pool check.
This may result in returning an invalid balance of a non-existing or stale pool.
Handle
0xRajeev
Vulnerability details
Impact
In NFTXLPStaking.sol, deposit(), exit(), withdraw(), claimRewards() and other related functions that take a vaultID as parameter perform a pool existence check on the staking pool associated with that vaultID. However, balanceOf is missing a similar pool check.
This may result in returning an invalid balance of a non-existing or stale pool.
Proof of Concept
Missing check: https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L168-L172
Checks: https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L117
https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L144
Tools Used
Manual Analysis
Recommended Mitigation Steps
Add check require(pool.stakingToken != address(0), "LPStaking: Nonexistent pool”); before L170.