MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved.

Summary

Wrongly calculated position.lockMultiplier.

Vulnerability Detail

position.lockMultiplier should be actually the value getMultiplierByLockDuration(position.initialLockDuration)

 function _lockPosition(uint256 tokenId, uint256 lockDuration, bool resetInitial) internal {
        ....
         if (resetInitial) {
            require(lockDuration > position.initialLockDuration, "invalid");
            position.initialLockDuration = lockDuration;
        }
        _harvestPosition(tokenId, msg.sender); 

        // update position and total lp supply
        position.lockDuration = lockDuration;
->      position.lockMultiplier = getMultiplierByLockDuration(lockDuration);  //.. @audit initialLockDuration for renewLockDuration because we are not changing the lockduration
        position.startLockTime = currentBlockTimestamp;
        _updateBoostMultiplierInfoAndRewardDebt(position);

        emit LockPosition(tokenId, lockDuration);
    }

When a user renew lockDuration of a position using renewLockPosition() without resetting the initialLockDuration , position.lockMultiplier will be calculated using the new lockDuration which can be less than initialLockDuration.

Impact

position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L509-L514 https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L691-L719

Tool used

Manual Review

Recommendation

position.lockMultiplier = getMultiplierByLockDuration(initialLockDuration);

Duplicate of #138

sherlock-audit / 2024-06-magicsea-judging

dhank - MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved. #639