Closed sherlock-admin2 closed 2 months ago
In the 'MlumStaking' contract, users can earn rewards without locking their tokens for a certain period of time.
In the vote()
function, users can vote even if the lock period has expired. This allows users to abuse the system without adhering to the rules specified in the documentation.
Users may gain an unfair advantage in the reward earning process. Users with expired locks may cast votes, causing undesirable behavior in the system.
A minimum lock duration check should be added in the createPosition()
function. The remaining lock duration check should be made in the vote()
function.
Both sets of findings lead to abuse of the system due to not controlling the staking duration Therefore, their common points are; "No Lock Control , no lock duration control"
"New stakes will dilute rewards for old stake issue"
The protocol team fixed this issue in the following PRs/commits: https://github.com/metropolis-exchange/magicsea-staking/pull/7
The Lead Senior Watson signed off on the fix.
oualidpro
Medium
It is possible to earn rewards in
MlumStaking
staking contract without locking tokens for a period of timeSummary
Due to not checking the
lockDuration
to a minimum value, people can create positions without locking their token for a period of time and earn rewards.Vulnerability Detail
To create a new staking position we can call the following function in
MlumStaking
contract:However, as you can see this function dosn't check if the
lockDuration
chosed by the user respect a minimum value or at least grather than 0. Therefore, users can create positions with a lockDuration equal to 0. By doing this, users can keep earning rewards without locking their tokens, and they become able to withdraw at any moment they want.Here is a proof of concept to reproduce this vulnerability:
add the previous PoC to MlumStaking.t.sol file to correctly reproduce this vulnerability.
Impact
This lead to unfair advantage where some users exploit the system to continuously earn rewards without any risk or commitment.
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L354-L390
Tool used
Manual Review
Recommendation
Check for a minimum value for the
lockDuration
when a new position is created.Duplicate of #74