User funds can be stolen by a permissioned account.
The owner can frontrun a rageQuit() call with an invocation of updatePenalties(). This may not necesarily be caused by a malicious owner, but also a coincindence or a single malicious executor of, for example, a multisig. updat,ing parameters to as large as possible will effectively cause all user funds to be considered a penalty.
Tools Used
Manual analysis
Recommended Mitigation Steps
Put this function under a timelock or don't allow for changing penalties.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L363-L372 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L133-L145
Vulnerability details
Impact
User funds can be stolen by a permissioned account.
The owner can frontrun a
rageQuit()
call with an invocation ofupdatePenalties()
. This may not necesarily be caused by a malicious owner, but also a coincindence or a single malicious executor of, for example, a multisig. updat,ing parameters to as large as possible will effectively cause all user funds to be considered a penalty.Tools Used
Manual analysis
Recommended Mitigation Steps
Put this function under a timelock or don't allow for changing penalties.