search

sherlock-audit / 2023-03-Y2K-judging

7 stars 1 forks source link

datapunk - The assignment should be made only if ownerToRollOverQueueIndex[_receiver] == 0 #503

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

datapunk

high

The assignment should be made only if ownerToRollOverQueueIndex[_receiver] == 0

Summary

enlistInRollover makes assignment at the end:
ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;
However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zero

Vulnerability Detail

enlistInRollover makes assignment at the end:
ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;
However, this is wrong when ownerToRollOverQueueIndex[_receiver] starts off as non-zero

Impact

This effectively transfer the ownership of rollover amount of the last rollover to other users, who can then change the receiver and claim the amount

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L268

Tool used

Manual Review

Recommendation

Move ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length; inside of the else block

Duplicate of #2