search

sherlock-audit / 2024-05-sophon-judging

7 stars 6 forks source link

ArsenLupin - User loose up to 50% t ofhe balance if he deposit _boostAmount via _deposit function. #210

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 4 months ago

ArsenLupin

high

User loose up to 50% t ofhe balance if he deposit _boostAmount via _deposit function.

Summary

User could loose up to 50% of his balance due to incorrect calculation in the _deposit function

Vulnerability Detail

The boostAmount it is an amount that will be counted in user.amount but will not possible to be withdrawn. Users are incentivised to put(stake) money as a boostAmount because it has multiplier on the amount staked (2e18), thus increase the amount staked which will result in more airdrop rewards.

If am an ordinary user, i provide the 1000e18 tokens via the _deposit function, where 500e18 _depositAmount and other 500e18 is _boostAmount. In this case the _deposit function will calculate my function as follows

  1. It is the first issue, it will incorrectly calculate the _depositAmount. 
_depositAmount = _depositAmount - _boostAmount;

After that _boostAmount will multiply by 2e18 and result in == 1000e18 Eventually, the user.amount = _depositAmount + _boostAmount which result in 1000e18 It means, that the user has no _depositedAmount so he can't increaseBoost on his balance and his user.amount is 1000e18, while in theory he SHOUD BE ABLE to increase his boost balance by 500e18 at least. Let's see

If this user would be aware enough , he would not set any _boostAmount in the _deposit function and deposit simply 1000e18, and his user.amount would be 1000e18 (which will include only _depositAmount). After that, the user could call the increaseBoost function, where he could increase by maxAdditionalBoost which is his _depositedBalance equal to the 1000e18. Eventually, the user.amount calculated via

userAmount + finalBoostAmount - _boostAmount; (1000e18 + 2000e18 - 1000e18)

And the user then receive the correct user.amount! His overall balance would be 2000e18.

Impact

The user loose the balance if we input _boostAmount in the _deposit function

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L600-L601

Tool used

Manual Review

Recommendation

Adjust the calculation, run the test and make sure that users doesn't loose the balance compare to two options of increasing balance.

sherlock-admin3 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because the boost purchasable is working as intended