Closed c4-bot-2 closed 4 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
This is acceptable and any SALT in the Airdrop contract will be treated as not being part of the circulating supply.
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/Staking.sol#L134
Vulnerability details
When the protocol is launched, 3 million SALT is allocated to the xSALT staking contract and 5 million SALT can be claimed by the airdrop participants.
So 1% from 3 million(30k) will likely be available for claim in the xSALT contract right after the protocol launches. And because the circulating supply will initially be so small, it is likely that the first depositor in the xSALT contract will be someone claiming their airdrop.
The airdrop contract first stakes the SALT to be airdropped and then it unstakes it and stakes again but for the user. The problem here is that the when
existingTotalShares
!= 0 thevirtualRewards
are not added so for example:transferStakedSaltFromAirdropToUser()
:And as you can see _decreaseUserShare() is called with msg.sender, so 30k SALT will be transferred to the Airdrop contract and will be stuck there forever because when decreasing shares we are also claiming the rewards and the
virtualRewards
are not set so the Airdrop contract just gets all the rewards.Impact
SALT gets transferred to the Airdrop contract and will be stuck there forever.
Proof of Concept
Add this to
Staking.t.sol
Tools Used
Foundry
Recommended Mitigation Steps
Add a function in Airdrop to withdraw this SALT
Assessed type
Other