note that there is no minimum amount required to call this function, meaning it can be calling with 1wei. Also note that there is no permission required to call the function for any user. The issue here is that on end of the _lock() function it updated the recipients unlockTime:
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L383 https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L290
Vulnerability details
Impact
Attacker can constantly keep increasing the unlocktime of any user without needing permission, prevent any user they wish from unlocking
Proof of Concept
The lockOnBehalf() function allows anyone to lock on behalf of any user:
note that there is no minimum amount required to call this function, meaning it can be calling with 1wei. Also note that there is no permission required to call the function for any user. The issue here is that on end of the _lock() function it updated the recipients unlockTime:
This allows attackers the ability to keep increasing the unlocktime of any user without needing permission, prevent any user they wish from unlocking.
Tools Used
Manual Review
Recommended Mitigation Steps
Allow users to grant permission on who can lock onbehalf of them
Assessed type
Access Control