In the initialize() function, the only check is made that the current startBoost value is zero, if zero is passed then this allows the function to be reinitialised and potentially modifying other variables which should remain constant.
Additionally, in initialize() no check is made that MAX_BOOST is larger than START_BOOST, if this is the case then calculation made here in computeNewBoost() will revert due to an arithmetic underflow preventing any further call which deals with claiming fees, staking or withdrawing tokens.
Make a check in the initialize() function to make sure that max boost is larger than start boost
GalloDaSballo
commented
2 years ago
Reinitalisation in BkdLocker.sol
In the
initialize()function, the only check is made that the currentstartBoostvalue is zero, if zero is passed then this allows the function to be reinitialised and potentially modifying other variables which should remain constant.Consider making a check that the passed value of
startBoostis nonzero. https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/BkdLocker.sol#L59Additionally, in
initialize()no check is made thatMAX_BOOSTis larger thanSTART_BOOST, if this is the case then calculation made here incomputeNewBoost()will revert due to an arithmetic underflow preventing any further call which deals with claiming fees, staking or withdrawing tokens.Make a check in the
initialize()function to make sure thatmax boostis larger thanstart boost