search

sherlock-audit / 2023-10-mzero-judging

3 stars 2 forks source link

00001111x0 - Unapproved MToken earners can keep earning indefinitely, reducing yield for approved earners #35

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

00001111x0

medium

Unapproved MToken earners can keep earning indefinitely, reducing yield for approved earners

Summary

Unapproved MTokens earners can keep earning, which reduces yield for approved earners.

Vulnerability Detail

MToken holders require governance approval to start earning MTokens, and the function to stop holders from earning can only act on msg.sender. There's no way to stop an unapproved earner from continuing to earn.

    function startEarning() external {
        _revertIfNotApprovedEarner(msg.sender);
        _startEarning(msg.sender);
    }

    /// @inheritdoc IMToken
    function stopEarning() external {  
        _stopEarning(msg.sender);
    }

The documentation states that "If an address is removed from the Earner’s list, Stop Earning can be called with the address in question passed as an argument to the method." This is not possible in the code.

Impact

Loss of earnings for approved earners.

Code Snippet

https://github.com/sherlock-audit/2023-10-mzero/blob/main/protocol/src/MToken.sol#L100-L108

Tool used

Manual Review

Recommendation

Add a function that can stop unapproved earners from earning.

Duplicate of #33

sherlock-admin3 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid; medium(2)