search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

Possible DoS or very high penalties on rage quit #177

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L364 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L195-L198

Vulnerability details

Impact

There is no limits in function updatePenalties, so:

  1. admin can set very high penalties, it'll lead to sending to treasury almost all user's staked tokens in case of 'rageQuit'
  2. if admin sets zero penalties, rageQuit won't work because of zero division

Recommended Mitigation Steps

Check penalty cannot be zero and set upper limit

HardlyDifficult commented 2 years ago

This assumes a malicious admin. Lowering risk and merging with the warden's QA report #175