r2moon
commented
2 years ago duplicated with https://github.com/code-423n4/2022-02-concur-findings/issues/262
Closed code423n4 closed 2 years ago
r2moon
commented
2 years ago duplicated with https://github.com/code-423n4/2022-02-concur-findings/issues/262
GalloDaSballo
commented
2 years ago Duplicate of #262
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/MasterChef.sol#L201-L211
Vulnerability details
Impact
All calculations are rounded down, since a lack of tokens in the contracts cannot be rounding errors' fault. So the function is redundant.
On the other hand, if the contract is undersupplied with Concur tokens, this will cause depositors to be sent less tokens than needed (or none). This is especially unsafe because the tokens that were lacking are not resembled in accountings at all. Thus a depositor may invoke the
safeConcurTransferand not receive tokens they were supposed to.Tools Used
Manual analysis
Recommended Mitigation Steps
Use usual
safeTransferinstead ofsafeConcurTransfer.