Closed sherlock-admin closed 1 year ago
Nyx
medium
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L476 When users deposit to the carousel, and If they want to deposit in the next epoch, they can set epochId to 0, and they will be pushed to DepositQueue. And then, relayers can use mintDepositInQueue() function to mint users shares.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310
But relayers can select epochId to whatever they want.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334-L338 So they can mint users shares other than the next epoch.
Users might have different epoch than they want.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355
Manual Review
mintDepositInQueue() should only be callable for the next epoch.
Nyx
medium
Users might have different epoch than they want.
Summary
Vulnerability Detail
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L476 When users deposit to the carousel, and If they want to deposit in the next epoch, they can set epochId to 0, and they will be pushed to DepositQueue. And then, relayers can use mintDepositInQueue() function to mint users shares.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310
But relayers can select epochId to whatever they want.
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334-L338 So they can mint users shares other than the next epoch.
Impact
Users might have different epoch than they want.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L310-L355
Tool used
Manual Review
Recommendation
mintDepositInQueue() should only be callable for the next epoch.