search

code-423n4 / 2024-01-init-capital-invitational-findings

1 stars 0 forks source link

No ability to withdraw in case of emergency in merchant moe #30

Closed c4-bot-9 closed 8 months ago

c4-bot-9 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-01-init-capital-invitational/blob/main/contracts/wrapper/WLpMoeMasterChef.sol#L21

Vulnerability details

Proof of Concept

Users can wrap their merchant moe lp tokens to the WLpMoeMasterChef contract to use it as collateral in init protocol.

Merchant moe MasterChef contract has emergencyWithdraw function(i don't know how to copy the line from explorer.mantle.xyz) that allows to withdraw lp tokens from contract in case of emergency in some rewarder contract or other cases. In this case there will be no claiming of rewards, just transferring of lp tokens.

But WLpMoeMasterChef doesn't have integration with that function which takes user's lp token under a risk.

Impact

In case of emergency users will not be able to unwrap.

Tools Used

VsCode

Recommended Mitigation Steps

Add integration with function.

Assessed type

Error

JeffCX commented 8 months ago

duplicate of #2

recommendation is the same

c4-judge commented 8 months ago

hansfriese marked the issue as duplicate of #2

c4-judge commented 8 months ago

hansfriese marked the issue as satisfactory