0xSmartContract
commented
1 month ago The line of code that is causing the problem is specified as follows:
votingPower = _mlumStaking.getStakingPosition(tokenId).amountWithMultiplier;Here amountWithMultiplier is used, which means that the voting power can be increased depending on the locking period.
This is a clear architectural choice. The main purpose of the system is to encourage long-term participation, so the current architecture makes sense.
karsar
Medium
user can more vote than the amount deposited
Summary
Vulnerability Detail
the vote function calculates votingPower using amountWithMultiplier retrieved from _mlumStaking.getStakingPosition(tokenId). This could lead to inflated voting power . which would be benefical for user who has large lock duration which can result in more voting power and lead to more rewards from voting.
Impact
Users with longer lock durations can gain excessive voting power compared to their actual stake
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L153
Tool used
Manual Review
Recommendation
caulculate voting power with amount rather than amountwithmultiplier