Closed sherlock-admin closed 2 years ago
hickuphh3
medium
getMultiplier() fails if the curve is not monotonically increasing. However, this condition is not enforced.
getMultiplier()
Subtraction overflow is encountered in getMultiplier() when curve[n + 1] < curve[n].
curve[n + 1]
curve[n]
return 1e18 + curve[n] + (_lockDuration - n * unit) * (curve[n + 1] - curve[n]) / unit;
Attempts to deposit, increase lock duration or amount may revert.
https://github.com/Merit-Circle/merit-liquidity-mining/blob/ce5feaae19126079d309ac8dd9a81372648437f1/contracts/TimeLockPool.sol#L245
Manual Review
When setting a new curve or a new point, the monotonic increase condition should be checked.
Duplicate of #111
hickuphh3
medium
Curve is not guaranteed to be monotonically increasing
Summary
getMultiplier()fails if the curve is not monotonically increasing. However, this condition is not enforced.Vulnerability Detail
Subtraction overflow is encountered in
getMultiplier()whencurve[n + 1]<curve[n].Impact
Attempts to deposit, increase lock duration or amount may revert.
Code Snippet
https://github.com/Merit-Circle/merit-liquidity-mining/blob/ce5feaae19126079d309ac8dd9a81372648437f1/contracts/TimeLockPool.sol#L245
Tool used
Manual Review
Recommendation
When setting a new curve or a new point, the monotonic increase condition should be checked.
Duplicate of #111