Closed sherlock-admin2 closed 4 months ago
The main reason for this error is that the loop used to calculate the reward periods incorrectly performs an extra iteration. The <= operator used in the loop creates one more reward period than necessary.
Incorrect Code:
for (uint256 i = 0; i <= bribeEpochs; ++i) {
_rewards.push();
}
This code should create as many reward periods as bribeEpochs
, but it creates one more period.
Fix Suggestion:
for (uint256 i = 0; i < bribeEpochs; ++i) {
_rewards.push();
}
This fix ensures that the loop iterates the correct number of times and prevents the creation of an extra reward period.
This issue was initially classified as medium severity, but after further investigation it should be re-evaluated as low severity.
for (uint256 i = 0; i <= bribeEpochs; ++i) {
_rewards.push();
}
Risk of Insufficient Funds: The _bribe() function only checks if there are sufficient funds for the periods from startId to lastId. Since calcTotalAmount() works correctly, there is no risk of forcibly overfunding an extra period. That is, bribe is initiated only when there are enough funds for the correct periods.
Vote Restriction: The _bribe() function adds this reward distributor to the list for each valid period by calling Voter.onRegister(). However, getBribePeriods() never touches the incorrect period (lastId+1), it only touches the correct periods.
Invalid Vote Period: Since the bribe rewarder is not registered for the lastId+1 period, the bribe rewarder is not notified when users vote in this period. Therefore, the bribe rewards from this incorrect period will never be distributed because there will be no votes.
The bribe rewards from the incorrect period will never be distributed and the rewards for this period will not be stuck because the admin did not have to send these rewards.
Therefore, creating additional reward periods may only cause unnecessary gas consumption in practice. However, it does not constitute an extra reward for users or a serious security vulnerability for the system.
The protocol team fixed this issue in the following PRs/commits: https://github.com/metropolis-exchange/magicsea-staking/pull/19
The Lead Senior Watson signed off on the fix.
0xc0ffEE
High
User get more reward from BribeRewarder
Summary
Wrong number of reward per period is created, causing the users to claim reward 1 more extra time
Vulnerability Detail
In the function
BribeRewarder#_bribe
.bribeEpochs
number of period rewards should be used, howeverbribeEpochs+1
loops are used to create_rewards
.Impact
As result, users will be able to claim reward for
bribeEpochs+1
periods. More rewards will be usedCode Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L144
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L264-L266
Tool used
Manual Review
Recommendation
Consider change
for (uint256 i = 0; i <= bribeEpochs; ++i)
tofor (uint256 i = 0; i < bribeEpochs; ++i)