0xweebad - POSSIBLE UNDERFLOW IN _safeRewardTransfer() function in the MlumStaking.sol contract

[sherlock-admin4]

0xweebad

Medium

POSSIBLE UNDERFLOW IN _safeRewardTransfer() function in the MlumStaking.sol contract

Summary

In this _safeRewardTransfer() operation, the code first gets the current reward balance of the MlumStaking.sol contract using rewardToken.balanceOf(address(this)) . It makes a subtraction operation which it wrongly assumes that the return value of rewardToken.balanceOf(address(this)) is always less the _lastRewardBalance.

Vulnerability Detail

Impact

1. _safeRewardTransfer internal function takes an address and amount as parameters. It first logs the total reward tokens in the MlumStaking.sol contract and assigns the value to reward Balance. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L740

2. If the input amount parameter is greater than the current reward tokens in the contract, it makes a subtraction operation here, and updates the result to the _lastRewardBalance state variable. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L743

3. However, this is likely to underflow if the current tokens in the contract is higher than the _lastRewardBalance value.

4. The contract calculates or sets _lastRewardBalance to the number of reward tokens in the MlumStaking.sol contract during the call to updatePool(). See below : https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L576 https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L588

5. Now, if between the time _updatePool() and safeRewardTransfer() is called, there has been an accumulation of reward tokens, the the current reward tokens balance will be higher than the previous one that is stored in _lastRewardBalance. And as such, the subtraction will underflow and revert.

Code Snippet

Tool used

Manual Review

Recommendation

Before making the subtraction, check that _lastRewardBalance is greater than or equal to the current tokens in the contract.. Or you can first call the updatePool() .

[0xSmartContract]

• Since _updatePool has already been called in the addToPosition harvestPosition harvestPositionTo functions, _lastRewardBalance is updated correctly.
• The _harvestPosition function makes sure that _lastRewardBalance is up to date before calling _safeRewardTransfer.
• Therefore, when calling _safeRewardTransfer in the addToPosition function, we can make sure that _lastRewardBalance is correct and there is no underflow problem.