Flashloan can be used to give user maximum stake power of `StakeLevel.PLATINUM` for a transaction

[code423n4]

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/601e0e5498587f5b1ae33f345223c86526ae9ce1/contracts/staking/InfinityStaker.sol#L210-L224

Vulnerability details

Flashloan can be used to give user maximum stake power of StakeLevel.PLATINUM for a transaction

Based on Infinity exchange V1 out of scope of this contest. Staking level is used to get level of fee tier for user. It might be used for different purpose in future like airdrop as only view function is implement now.

Impact

The dev should be aware of potential future harm as any user can become platinum user for a single transaction by using flashloan from uniswap. Depend on purpose of Stakelevel implementation, the current impact is not known.

POC

• User flashloan 20_000e18 INFINITY_TOKEN from Uniswap.
• Stake all token into no penalty duration
• User stake power become platinum
• Do any thing with protocol this transaction.
• Unstake and refund. Power become bronze.

Recommended Mitigation Steps

Any implementation of using stake power should check for timestamp of Duration.NONE is not same as current block. To prevent any user from using flashloan to unpredicted use of Platinum like no fee trading or airdrop if ever used.

[nneverlander]

Duplicate

[HardlyDifficult]

Without more details about the intended governance mechanism, it's hard to judge the severity for this. Lowering risk and merging with the warden's QA report #270