search

code-423n4 / 2022-06-yieldy-findings

0 stars 0 forks source link

`Staking.sol#stake()` DoS by staking 1 wei for the recipient when `warmUpPeriod > 0` #187

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-yieldy/blob/524f3b83522125fb7d4677fa7a7e5ba5a2c0fe67/src/contracts/Staking.sol#L435-L447

Vulnerability details

if (warmUpPeriod == 0) {
    IYieldy(YIELDY_TOKEN).mint(_recipient, _amount);
} else {
    // create a claim and mint tokens so a user can claim them once warm up has passed
    warmUpInfo[_recipient] = Claim({
        amount: info.amount + _amount,
        credits: info.credits +
            IYieldy(YIELDY_TOKEN).creditsForTokenBalance(_amount),
        expiry: epoch.number + warmUpPeriod
    });

    IYieldy(YIELDY_TOKEN).mint(address(this), _amount);
}

Staking.sol#stake() is a public function and you can specify an arbitrary address as the _recipient.

When warmUpPeriod > 0, with as little as 1 wei of YIELDY_TOKEN, the _recipient's warmUpInfo will be push back til epoch.number + warmUpPeriod.

Recommendation

Consider changing to not allow deposit to another address when warmUpPeriod > 0.

JustDravee commented 2 years ago

Should be high right? Funds are locked. See https://github.com/code-423n4/2022-06-yieldy-findings/issues/245#issuecomment-1167616593

toshiSat commented 2 years ago

duplicate #245

moose-code commented 2 years ago

Should be high right? Funds are locked. See #245 (comment)

Agree this should be high. The cost of the attack is negligible and could cause basic perpetual grievance on all users with one simple script.