search

sherlock-audit / 2022-10-merit-circle-judging

1 stars 0 forks source link

holyhansss - [MED] User’s fund can be lock more or less than expected by arbitrary max duration time. #90

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

holyhansss

medium

[MED] User’s fund can be lock more or less than expected by arbitrary max duration time.

Summary

According to resource provide, it says

Merit Circle Staking V2 is a module where holders of MC or MC/ETH LP tokens can lock their tokens up to 48 months to get rewards

The maximum duration of the timeLockPool is 48 months. However, timeLockPool.__TimeLockPool_init, it does not validate the max duration. Therefore, the user's fund can be locked more or less than expected by arbitrary max duration time.

Vulnerability Detail

timeLockPool.sol #L35-L63

timeLockPool.__TimeLockPool_init function sets important initial values. The function validates whether the _maxLockDuration is less than MIN_LOCK_DURATION, but does not validate whether the _maxLockDuration is equal to 48 months.

Since the factory contract is not provided, I cannot verify this vulnerability with the Factory contract. However, since it is validating _maxLockDuration bigger than MIN_LOCK_DURATION, it can be assumed that the factory contract does not validate the _maxLockDuration.

Impact

The protocol set maxLockDuration longer than 48 months. Then users want to stake MC token for max duration. However, the maxLockDuration is set for more than 48 months, the user’s fund will be locked longer than expected, which is possible to take financial damage.

Code Snippet

timeLockPool.sol #L35-L63

        if (_maxLockDuration < MIN_LOCK_DURATION) {
            revert SmallMaxLockDuration();
        }
        ...
        maxLockDuration = _maxLockDuration;
    }

Tool used

Manual Review

Recommendation

Consider adding input validation for _maxLockDuration to be equal to 48 months.