search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

Owner can set arbitrarily high `InfinityStaker` penalties and steal funds #345

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L364-L372 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/staking/InfinityStaker.sol#L195-L198

Vulnerability details

Impact

Rage quit penalties can be set arbitrarily high by the InfinityStaker owner which allows the owner to steal funds from users who want to rage-quit.

Having the possibility to set unlimited high penalties does not put lots of trust into a protocol for investors (stakers). The penalty variables have the type uint16 and can therefore hold a value up to 65535.

Proof of Concept

InfinityStaker.updatePenalties

function updatePenalties(
    uint16 threeMonthPenalty,
    uint16 sixMonthPenalty,
    uint16 twelveMonthPenalty
  ) external onlyOwner {
    THREE_MONTH_PENALTY = threeMonthPenalty;
    SIX_MONTH_PENALTY = sixMonthPenalty;
    TWELVE_MONTH_PENALTY = twelveMonthPenalty;
}

Penalty values are used as follows:

InfinityStaker.getRageQuitAmounts

uint256 totalToUser = totalVested +
    ((threeMonthLock - threeMonthVested) / THREE_MONTH_PENALTY) +
    ((sixMonthLock - sixMonthVested) / SIX_MONTH_PENALTY) +
    ((twelveMonthLock - twelveMonthVested) / TWELVE_MONTH_PENALTY);

Penalty values up to 65535 will cause the totalToUser calculation to forfeit unvested tokens.

Tools Used

Manual review

Recommended mitigation steps

Consider adding reasonable upper bounds for THREE_MONTH_PENALTY, SIX_MONTH_PENALTY and TWELVE_MONTH_PENALTY.

nneverlander commented 2 years ago

Duplicate

HardlyDifficult commented 2 years ago

Fair consideration. Lowering risk and converting into a QA report for the warden.

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-infinity-findings/issues/342

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-infinity-findings/issues/340

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-infinity-findings/issues/347

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-infinity-findings/issues/350