HardlyDifficult
commented
2 years ago Agree that it would be good to validate the inputs are sorted correctly here. Lowering risk and converting into a QA report for the warden
Open code423n4 opened 2 years ago
HardlyDifficult
commented
2 years ago Agree that it would be good to validate the inputs are sorted correctly here. Lowering risk and converting into a QA report for the warden
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L210
Vulnerability details
Impact
Function
getUserStakeLevelinInfinityStakershould return level of user given staked amount and staked threshold. But this function assumes that stake thresholds is ascending and will have unexpected behaviours if it’s not.This can happen when owner mistakenly set stake thresholds
updateStakeLevelThreshold()Proof of Concept
For example, if stake thresholds is
[1000, 12000, 10000, 20000]with level[BRONZE, SILVER, GOLD, PLATINUM]respectively. Alice's stake power is 11000. She should haveGOLDlevel but becauce it checks low level first then she will only receiveSILVERlevelTools Used
Manual review
Recommended Mitigation Steps
Should add check to make sure stake thresholds is always ascending.
Or in
getUserStakeLevelcan check high level first (e.g check PLATINUM -> GOLD -> … -> BRONZE)