search

sherlock-audit / 2024-06-magicsea-judging

8 stars 5 forks source link

neogranicen - Staker in the MasterchefV2 will lose all his rewards upon emergency withdrawal #671

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

neogranicen

Medium

Staker in the MasterchefV2 will lose all his rewards upon emergency withdrawal

Summary

When a user withdraws using an emergencyWithdraw having not claimed his rewards, he will lose all his them.

Vulnerability Detail

The rewards to be given to a user are calculated by subtracting the debt per share multiplied by his balance before the transaction by his reward debt but because the emergencyWithdraw makes the balance 0 without calling _modify all the rewards of the user are going to be lost and when he tries to call claim his transaction will revert with an underflow error

Its clear that this behavior is not intentional from the fact that the user could have claimed all his rewards before emergencyWithdraw and then called emergencyWithdraw and by the fact that there is an underflow error which proves that this was a mistake.

Impact

Users who call emergencyWithdraw without having claimed their rewards are going to lose all of them

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MasterchefV2.sol#L326

Tool used

Manual Analysis

Recommendation

call the _modify to ensure everything gets updated and the rewards are sent properly

WangSecurity commented 2 months ago

Invalid based on the discussion under #460