search

code-423n4 / 2022-03-paladin-findings

0 stars 0 forks source link

User can always stay in UNSTAKE_PERIOD #63

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-paladin/blob/9c26ec8556298fb1dc3cf71f471aadad3a5c74a0/contracts/HolyPaladinToken.sol#L1131

Vulnerability details

Impact

Due to how the cooldown period is calculated after a transfer, a user can strategically transfer between accounts to increase their cooldown timestamp while keeping it within the UNSTAKE_PERIOD, so they can unstake anytime, defeating the cooldown mechanism.

Proof of Concept

https://github.com/code-423n4/2022-03-paladin/blob/9c26ec8556298fb1dc3cf71f471aadad3a5c74a0/contracts/HolyPaladinToken.sol#L1131

        return ((amount * _senderCooldown) + (receiverBalance * receiverCooldown)) / (amount + receiverBalance);
Kogaroshi commented 2 years ago

Duplicate of https://github.com/code-423n4/2022-03-paladin-findings/issues/7 As stated in Issue https://github.com/code-423n4/2022-03-paladin-findings/issues/7, Unstake period is reduced to 2 days

0xean commented 2 years ago

closing as dupe of #7