search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

Some salt tokens cannot be used in Airdrop #672

Closed c4-bot-3 closed 9 months ago

c4-bot-3 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/Staking.sol#L130

Vulnerability details

Impact

The salt token is locked into the airdrop contract

Proof of Concept

Airdrop will use transferStakedSaltFromAirdropToUser function will be salt token (Staked) sent to the user:

    function transferStakedSaltFromAirdropToUser(address wallet, uint256 amountToTransfer) external{
        require( msg.sender == address(exchangeConfig.airdrop()), "Staking.transferStakedSaltFromAirdropToUser is only callable from the Airdrop contract" );

        _decreaseUserShare( msg.sender, PoolUtils.STAKED_SALT, amountToTransfer, false );
        _increaseUserShare( wallet, PoolUtils.STAKED_SALT, amountToTransfer, false );

        emit XSALTTransferredFromAirdrop(wallet, amountToTransfer);
    }

_decreaseUserShare sends userRewards to the owner:

function _decreaseUserShare( address wallet, bytes32 poolID, uint256 decreaseShareAmount, bool useCooldown ) internal{
        ......
        uint256 claimableRewards = 0;

        if ( virtualRewardsToRemove < rewardsForAmount )
            claimableRewards = rewardsForAmount - virtualRewardsToRemove;

        if ( claimableRewards != 0 )
            salt.safeTransfer( wallet, claimableRewards );

        emit UserShareDecreased(wallet, poolID, decreaseShareAmount, claimableRewards);
    }

Therefore,Airdrop itself gets userRewards when it sends tokens to users, The problem is that these tokens cannot be used and will remain in Airdrop contract forever.

Tools Used

vscode, manual

Recommended Mitigation Steps

Do not send userRewards to the Airdrop contract at _decreaseUserShare

Assessed type

Error

c4-judge commented 9 months ago

Picodes marked the issue as unsatisfactory: Insufficient proof