search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

`updatePenalties()` can be used to frontrun `rageQuit()` calls and claim tokens #288

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L363-L372 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L133-L145

Vulnerability details

Impact

User funds can be stolen by a permissioned account.

The owner can frontrun a rageQuit() call with an invocation of updatePenalties(). This may not necesarily be caused by a malicious owner, but also a coincindence or a single malicious executor of, for example, a multisig. updat,ing parameters to as large as possible will effectively cause all user funds to be considered a penalty.

Tools Used

Manual analysis

Recommended Mitigation Steps

Put this function under a timelock or don't allow for changing penalties.

nneverlander commented 2 years ago

Duplicate

HardlyDifficult commented 2 years ago

This assumes a malicious admin. Lowering risk and merging with the warden's QA report #285