The checking on whether the lock time of the position is sufficient for voting is incorrect
Summary
The checking (Voter.sol:175) on whether the lock time of the position is sufficient for voting is incorrect. As a result, when the remaining lock time of the position is smaller than the voting period duration, the position owner can double the voting power of his staked tokens.
Vulnerability Detail
In Voter.sol:175, it is the position's lockDuration is used to compare with the _periodDuration, instead of the remaining lock time of the position. As a result, when the remaining lock time of the position is smaller than the voting period duration, the position owner can double the voting power of his staked tokens with the following steps.
We assume that _minimumLockTime and _periodDuration in Voter.sol are in their default value, i.e. _minimumLockTime = 90 days and _periodDuration = 14 days.
Alice staked N tokens for 90 days, thus the initialLockDuration and lockDuration of her position are both 90 days.
At day 80, there are 10 days left to unlock the position (10 days < voter's _periodDuration).
Alice make a vote with her position.
At day 100 (some day after day 90 and before day 104 [90 days + 14 days]), Alice withdraws from her position and gets her N tokens back.
Alice restake the N tokens for another 90 days before day 104, and she gets a new position id.
Alice can vote again with her new position id, and she gets double the voting power in total of the staked N tokens.
ydlee
Medium
The checking on whether the lock time of the position is sufficient for voting is incorrect
Summary
The checking (
Voter.sol:175
) on whether the lock time of the position is sufficient for voting is incorrect. As a result, when the remaining lock time of the position is smaller than the voting period duration, the position owner can double the voting power of his staked tokens.Vulnerability Detail
In
Voter.sol:175
, it is the position'slockDuration
is used to compare with the_periodDuration
, instead of the remaining lock time of the position. As a result, when the remaining lock time of the position is smaller than the voting period duration, the position owner can double the voting power of his staked tokens with the following steps._minimumLockTime
and_periodDuration
inVoter.sol
are in their default value, i.e._minimumLockTime = 90 days
and_periodDuration = 14 days
.initialLockDuration
andlockDuration
of her position are both 90 days._periodDuration
).https://github.com/sherlock-audit/2024-06-magicsea/tree/main/magicsea-staking/src/Voter.sol#L175-L177
Impact
User can double the voting power of his staked tokens in certain conditions, which can lead to the manipulation of the voting result.
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/tree/main/magicsea-staking/src/Voter.sol#L175-L177
Tool used
Manual Review
Recommendation
Use the position's remaining lock duration, instead of the
lockDuration
to check whether the lock time of the position is sufficient for voting.Duplicate of #166