Lines of code

https://github.com/code-423n4/2024-07-munchables/blob/94cf468aaabf526b7a8319f7eba34014ccebe7b9/src/managers/LandManager.sol#L104 https://github.com/code-423n4/2024-07-munchables/blob/94cf468aaabf526b7a8319f7eba34014ccebe7b9/src/managers/LandManager.sol#L166

Vulnerability details

Impact

User can trigger his plotMetadata if he has deposited before landManager is deployed.

    // Only to be triggered by msg sender if they had locked before the land manager was deployed
    function triggerPlotMetadata() external override notPaused {
        (address mainAccount, ) = _getMainAccountRequireRegistered(msg.sender);
        if (plotMetadata[mainAccount].lastUpdated != 0)
            revert PlotMetadataTriggeredError();
        plotMetadata[mainAccount] = PlotMetadata({
            lastUpdated: block.timestamp,
            currentTaxRate: DEFAULT_TAX_RATE
        });

        emit UpdatePlotsMeta(mainAccount);
    }

A malicious user can frontrun above function & stake on landlord. As result taxRate for user will be 0 because currentTaxRate of landlord is 0.

  toilerState[tokenId] = ToilerState({
            lastToilDate: block.timestamp,
            plotId: plotId,
            landlord: landlord,
     @>       latestTaxRate: plotMetadata[landlord].currentTaxRate,
            dirty: false
        });

Proof of Concept

https://github.com/code-423n4/2024-07-munchables/blob/94cf468aaabf526b7a8319f7eba34014ccebe7b9/src/managers/LandManager.sol#L104C2-L114C6 https://github.com/code-423n4/2024-07-munchables/blob/94cf468aaabf526b7a8319f7eba34014ccebe7b9/src/managers/LandManager.sol#L162C7-L168C12

Tools Used

VS code

Recommended Mitigation Steps

Check for untriggered plotMetadata before staking

Assessed type

Invalid Validation

code-423n4 / 2024-07-munchables-findings

triggerPlotMetadata() can be frontrun to avoid taxRates #325