when intialStake is called, it mints the nft, and on before transfer hook, addressShares[msg.sender] is credited with minted shares
when redeemNFT is called, it burns the nft, and on before transfer hook, addressShares[msg.sender] is subtracted with burned shares.
while on arbRestake, some fraction of stakeShare is redeemed by arb but as there is no token transfer, that fraction is not deducted from addressShares of the owner hence resulting in improper amount and miscalculation in accounting.
until the owner does not call redeemNFT, correct calculation is not updated.
Evert0x
commented
2 years ago
Handle
hack3r-0m
Vulnerability details
https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/Sherlock.sol#L673
when
intialStakeis called, it mints the nft, and on before transfer hook,addressShares[msg.sender]is credited with minted shareswhen
redeemNFTis called, it burns the nft, and on before transfer hook,addressShares[msg.sender]is subtracted with burned shares.while on
arbRestake, some fraction ofstakeShareis redeemed by arb but as there is no token transfer, that fraction is not deducted from addressShares of the owner hence resulting in improper amount and miscalculation in accounting.until the owner does not call redeemNFT, correct calculation is not updated.
Tools Used
Manual Review
Recommended Mitigation Steps
update addessShare of the owner on arbRestake