Multipliers in MlumStaking are incorrectly calculated in getMultiplierByLockDuration function.
Vulnerability Detail
When a user wants to stake an amount of Mlum tokens, he can call the createPosition function and pass the amount of the tokens and the lockDuration he wants. Seeing the docs, he expects these multipliers but due to the fact that getMultiplierByLockDuration is implemented incorrectly, the multipliers he is getting is not the one he expected. Lets see the getMultiplierByLockDuration function :
function getMultiplierByLockDuration(uint256 lockDuration) public view returns (uint256) {
// in case of emergency unlock
if (isUnlocked()) return 0;
if (_maxLockDuration == 0 || lockDuration == 0) return 0;
// capped to maxLockDuration
if (lockDuration >= _maxLockDuration) return _maxLockMultiplier;
return (_maxLockMultiplier * lockDuration) / (_maxLockDuration);
}
This function returns multipliers that are not matched with the docs. Let's take for example 90 days which must have multiplier 1.5x as seen in the docs. The function will return :
20000 * 7776000 / 31536000 = 4921
As we can see 4921 plus 10000 is equal 14921 which is not 15000 which is 1.5x. Also due to the rounding down users who deposit for under 26 minutes will get 0 multiplier while this should be the case. This is true because :
20000 * 1560(26 minutes in seconds) / 31536000 = 0,98
0,98 in Solidity will be 0.
Impact
This vulnerability leads to users do not take the multiplier they expected or do not take any multiplier at all even though they should have. As a result they get less rewards or their votes are reduced.
zarkk01
High
Multipliers in
MlumStakingare incorrectly calculated ingetMultiplierByLockDurationfunction.Vulnerability Detail
When a user wants to stake an amount of
Mlumtokens, he can call thecreatePositionfunction and pass the amount of the tokens and thelockDurationhe wants. Seeing the docs, he expects these multipliers but due to the fact thatgetMultiplierByLockDurationis implemented incorrectly, the multipliers he is getting is not the one he expected. Lets see thegetMultiplierByLockDurationfunction :This function returns multipliers that are not matched with the docs. Let's take for example 90 days which must have multiplier 1.5x as seen in the docs. The function will return :
As we can see 4921 plus 10000 is equal 14921 which is not 15000 which is 1.5x. Also due to the rounding down users who deposit for under 26 minutes will get 0 multiplier while this should be the case. This is true because :
0,98in Solidity will be0.Impact
This vulnerability leads to users do not take the multiplier they expected or do not take any multiplier at all even though they should have. As a result they get less rewards or their votes are reduced.
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L217
Tool used
Manual Review
Recommendation
Consider calculating the multiplier a user gets to be exactly matched with these mutliplier shown in the docs.
Duplicate of #185