search

code-423n4 / 2023-03-mute-findings

2 stars 1 forks source link

A staker might be still be able to stake after staking is over. #10

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-mute/blob/4d8b13add2907b17ac14627cfa04e0c3cc9a2bed/contracts/amplifier/MuteAmplifier.sol#L203-L223

Vulnerability details

Impact

Detailed description of the impact of this finding. A staker might be still be able to stake after staking is over.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

When nobody stakes during the whole staking period, then the first staker can still stake, even after the staking period is already over.

This is because of the following faulty logic:

 if (firstStakeTime == 0) {
            firstStakeTime = block.timestamp;
        } else {
            require(block.timestamp < endTime, "MuteAmplifier::stake: staking is over");
        }

So when firstStakeTime == 0 and block.timestamp > endTime, it is still possible to stake. In other words, the function never check for the first staker whether the staking is over or not, it always allows the first staker to stake.

Tools Used

VScode

Recommended Mitigation Steps

if (firstStakeTime == 0) {
            firstStakeTime = block.timestamp;
} 
- else {
            require(block.timestamp < endTime, "MuteAmplifier::stake: staking is over");
-        }
c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #23

c4-judge commented 1 year ago

Picodes marked the issue as satisfactory