search

code-423n4 / 2022-05-vetoken-findings

1 stars 1 forks source link

user can pay alot of money with out getting his tokens #244

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L117

Vulnerability details

lockveasset function: lockveasset functoin should do some transfer but if that dosnt happen then user can can loose alot of money and if incentiveveasset is 0 because the check is >0 and if statment will not pass and the minting will not happen and your not going to get your minted tokens also it can happen alot be if make a contract that calls these function back to back then it will fail and loose alot of money _lockVeAsset();

    //mint incentives
    if (incentiveVeAsset > 0) {
        ITokenMinter(minter).mint(msg.sender, incentiveVeAsset);
        incentiveVeAsset = 0;
    }
}

1.put _lockveasset in first exection in the function you pay alot of tokens 2.incentiveVeAsset=0 then you wont get your tokens so if you user would run this functoin again it would fail and you would loose tokens
https://github.com/code-423n4/2022-05-vetoken/blob/2d7cd1f6780a9bcc8387dea8fecfbd758462c152/contracts/VeAssetDepositor.sol#L119 mitgation: put require statment and check on lockveasset and if statement (put a require statment) dont check for zero maybe make some delay or check before making it equal to zero.

solvetony commented 2 years ago

Duplicate of #62

GalloDaSballo commented 2 years ago

The tokens you'd be "loosing" are the caller incentive which is a percentage of other tokens locked.

I believe this finding to be invalid