Missing pool existence check in balanceOf

[code423n4]

Handle

0xRajeev

Vulnerability details

Impact

In NFTXLPStaking.sol, deposit(), exit(), withdraw(), claimRewards() and other related functions that take a vaultID as parameter perform a pool existence check on the staking pool associated with that vaultID. However, balanceOf is missing a similar pool check.

This may result in returning an invalid balance of a non-existing or stale pool.

Proof of Concept

Missing check: https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L168-L172

Checks: https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L117

https://github.com/code-423n4/2021-05-nftx/blob/f6d793c136d110774de259d9f3b25d003c4f8098/nftx-protocol-v2/contracts/solidity/NFTXLPStaking.sol#L144

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add check require(pool.stakingToken != address(0), "LPStaking: Nonexistent pool”); before L170.