TokenOwner can increase the lock duration of the token Receiver without adding any funds on behalf of the receiver.
Proof of Concept
A player A can send 0 quantity on behalf of another player B. And as a result player B is locked with 0 amount for uint32(block.timestamp) + uint32(_lockDuration) time
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L275-L294 https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L311-L399
Vulnerability details
Impact
TokenOwner can increase the lock duration of the token Receiver without adding any funds on behalf of the receiver.
Proof of Concept
A player A can send
0 quantity
on behalf of another player B. And as a result player B is locked with 0 amount foruint32(block.timestamp) + uint32(_lockDuration)
timehttps://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L275-L294
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L311-L399 function _lock( .... ) private {
Hence , one player can lock another player's fund for indefinite time if they wanted to.
Tools Used
Manual Review
Recommended Mitigation Steps
If the _quantity is 0 , revert
Assessed type
Timing