Closed code423n4 closed 1 year ago
thereksfour marked the issue as duplicate of #479
thereksfour marked the issue as not a duplicate
thereksfour marked the issue as primary issue
the size of the buying ticket needs to be large, as well as portion of LOT amount in order for this to even make sense economically. We designed staking in a this way and we do not consider this as an issue.
rand0c0des marked the issue as sponsor disputed
Considering that it has been clearly mentioned in the documentation, invalid
There is no locking, no ramp-up, no staking fees, no withdrawal penalties, and no additional attempts to obfuscate DAI cash flow from ticket sales. LOT holders can stake or unstake at any time without penalty.
thereksfour marked the issue as unsatisfactory: Invalid
thereksfour changed the severity to QA (Quality Assurance)
thereksfour marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/staking/Staking.sol#L118
Vulnerability details
Impact
Attacker can perform frontrunning attack in order to get reward without staking any token. This happens by correctly positioning the staking and withdraw operation with buyTickets operation
Proof of Concept
User A is calling
buyTickets
function to buy 5 ticketsAttacker see this operation and instantly call below 2 transactions:
a. The first operation with high gas is for staking attacker funds b. The second operation with low gas is for getReward and withdraw attacker funds
Finally withdraw function is executed which withdraws the User staked fund
Notice User has earned reward even though he has staked and withdrawn in the same block so practically no staking at all
Recommended Mitigation Steps
Staking rewards should also depends on the time uptil which user has staked the amount.