code-423n4 / 2024-05-munchables-validation

0 stars 0 forks source link

Anyone can grief users unlock time by locking dust amounts on behalf of that user . #546

Open c4-bot-4 opened 6 months ago

c4-bot-4 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L382

Vulnerability details

Impact

Anyone can increse/grief users unlock time repeatedly by locking dust amounts .

Proof of Concept

lockOnBehalf functionality is for locoking on behalf of other users . Calling this function with a valid user as recipient will result in a increase in user's unlocktime equal to his lockduration . And there are no minimum threshold for the locking amount(_quantity) .

 function lockOnBehalf(
        address _tokenContract,
        uint256 _quantity,
        address _onBehalfOf
    )
        //..
    {
        address tokenOwner = msg.sender;
        address lockRecipient = msg.sender;
        if (_onBehalfOf != address(0)) {
            lockRecipient = _onBehalfOf;
        }
        _lock(_tokenContract, _quantity, tokenOwner, lockRecipient);
    }
 function _lock(
        address _tokenContract,
        uint256 _quantity,
        address _tokenOwner,
        address _lockRecipient
    ) private {
       //..
        lockedToken.quantity += _quantity;
        lockedToken.lastLockTime = uint32(block.timestamp);
@>          lockedToken.unlockTime =//@audit-issue 
            uint32(block.timestamp) +
            uint32(_lockDuration);

This can be used against user by locking dust amount of tokens on behalf of the victim . As there are no threshold regarding minimum locking amount ,locking dust amount of token will prolong user's unlocktime . And user will fail to unlock his funds as intended .And repeatedly doing this users fund can be locked for very long time . Because of the low gas cost on Blast Chain , this exploit can be pulled of in very low cost .

Tools Used

Manual review

Recommended Mitigation Steps

Two mitigation is possible :

  1. Implement a minimum locking amount check .(Doesnot mitigate the issue completely )
  2. Have a functionality where user can enable/disable " behalf of" locking on his position .

Assessed type

Context