Closed sherlock-admin3 closed 1 month ago
This issue does not indicate a security vulnerability or critical flaw. The change to dynamic month duration calculation is more of a design improvement rather than a necessity for security or functionality.
Additionally, static month duration has been commonly used in financial contracts without significant issues.
The recommended change addresses user convenience and precision but does not mitigate any direct threat to the contract’s integrity or operation. Thus, the reported issue is considered invalid from a security standpoint.
Also Booster.sol is out of scope
https://github.com/sherlock-audit/2024-06-magicsea/tree/main?tab=readme-ov-file#audit-scope
chitranshu
Medium
Audit Report: Integration of Dynamic Month Duration Calculation in
Booster
Smart ContractSummary
The proposed integration of the
NextMonthDays
library into theBooster
smart contract aims to replace the static definition of month duration (SEC_PER_MONTH
) with a dynamic calculation based on the actual number of days in the next calendar month. This enhancement provides users with accurate information regarding the end time of reward periods, aligning with business model requirements for clarity and precision.Vulnerability Detail
The current implementation of SEC_PER_MONTH in the Booster smart contract uses a fixed value of 2,628,000 seconds, equating to approximately 30 days. However, this static definition does not account for variations in the number of days per month due to leap years and calendar irregularities. This could lead to discrepancies between the expected and actual end times of reward periods, potentially confusing users and affecting the accuracy of financial projections. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/booster/Booster.sol#L111 By integrating the NextMonthDays library, the contract dynamically calculates the duration of the next month based on the current timestamp. This approach mitigates the risk of inaccuracies stemming from static month duration assumptions, ensuring that reward end times are reliably aligned with calendar months.
Impact
Medium: The impact of inaccuracies in reward period calculations can lead to user confusion and misaligned expectations regarding the availability of rewards. In financial applications such as staking contracts, where timing precision is crucial, discrepancies in reward period end times could undermine user trust and satisfaction.
Code Snippet
Tool used
Manual Review
Recommendation
To enhance the robustness and usability of the
Booster
smart contract, consider integrating theNextMonthDays
library as proposed. This integration ensures that reward period end times accurately reflect the actual number of days in the next calendar month, thereby providing users with transparent and predictable reward scheduling. Additionally, document the integration thoroughly to facilitate understanding and maintenance by future developers.