If the admin set THREE_MONTH_PENALTY to 0, the transaction will be reverted because of division by zero. A malicious/compromised owner can deny everyone to get tokens back.
Tools Used
None
Recommended Mitigation Steps
Check the new penalty value should not be 0 in updatePenalties.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L136 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L195-L198
Vulnerability details
Impact
Users can call
rageQuit
, and apply penalties for unvested tokens at any time. But admin can trigger DoS, leading to users being unable to quit.Proof of Concept
In
rageQuit
, it doesn’t have thewhenNotPaused
modifier, so any users can callrageQuit
at any time. It usesgetRageQuitAmounts
to calculatetotalToUser
andpenalty
. But ingetRageQuitAmounts
L195-L198: https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L195-L198If the admin set THREE_MONTH_PENALTY to 0, the transaction will be reverted because of division by zero. A malicious/compromised owner can deny everyone to get tokens back.
Tools Used
None
Recommended Mitigation Steps
Check the new penalty value should not be 0 in
updatePenalties
.