Closed sherlock-admin4 closed 3 months ago
_updatePool
has already been called in the addToPosition
harvestPosition
harvestPositionTo
functions, _lastRewardBalance
is updated correctly._harvestPosition
function makes sure that _lastRewardBalance
is up to date before calling _safeRewardTransfer
._safeRewardTransfer
in the addToPosition
function, we can make sure that _lastRewardBalance
is correct and there is no underflow problem.
0xweebad
Medium
POSSIBLE UNDERFLOW IN _safeRewardTransfer() function in the MlumStaking.sol contract
Summary
In this
_safeRewardTransfer()
operation, the code first gets the current reward balance of the MlumStaking.sol contract usingrewardToken.balanceOf(address(this))
. It makes a subtraction operation which it wrongly assumes that the return value of rewardToken.balanceOf(address(this)) is always less the _lastRewardBalance.Vulnerability Detail
Impact
_safeRewardTransfer
internal function takes an address and amount as parameters. It first logs the total reward tokens in the MlumStaking.sol contract and assigns the value to reward Balance. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L740If the input amount parameter is greater than the current reward tokens in the contract, it makes a subtraction operation here, and updates the result to the _lastRewardBalance state variable. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L743
However, this is likely to underflow if the current tokens in the contract is higher than the _lastRewardBalance value.
The contract calculates or sets _lastRewardBalance to the number of reward tokens in the MlumStaking.sol contract during the call to
updatePool()
. See below : https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L576 https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L588Now, if between the time
_updatePool()
andsafeRewardTransfer()
is called, there has been an accumulation of reward tokens, the the current reward tokens balance will be higher than the previous one that is stored in _lastRewardBalance. And as such, the subtraction will underflow and revert.Code Snippet
Tool used
Manual Review
Recommendation
Before making the subtraction, check that _lastRewardBalance is greater than or equal to the current tokens in the contract.. Or you can first call the
updatePool()
.