sherlock-audit / 2024-06-magicsea-judging

8 stars 5 forks source link

0xweebad - POSSIBLE UNDERFLOW IN _safeRewardTransfer() function in the MlumStaking.sol contract #691

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

0xweebad

Medium

POSSIBLE UNDERFLOW IN _safeRewardTransfer() function in the MlumStaking.sol contract

Summary

In this _safeRewardTransfer() operation, the code first gets the current reward balance of the MlumStaking.sol contract using rewardToken.balanceOf(address(this)) . It makes a subtraction operation which it wrongly assumes that the return value of rewardToken.balanceOf(address(this)) is always less the _lastRewardBalance.

Vulnerability Detail

Impact

  1. _safeRewardTransfer internal function takes an address and amount as parameters. It first logs the total reward tokens in the MlumStaking.sol contract and assigns the value to reward Balance. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L740

  2. If the input amount parameter is greater than the current reward tokens in the contract, it makes a subtraction operation here, and updates the result to the _lastRewardBalance state variable. https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L743

  3. However, this is likely to underflow if the current tokens in the contract is higher than the _lastRewardBalance value.

  4. The contract calculates or sets _lastRewardBalance to the number of reward tokens in the MlumStaking.sol contract during the call to updatePool(). See below : https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L576 https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L588

  5. Now, if between the time _updatePool() and safeRewardTransfer() is called, there has been an accumulation of reward tokens, the the current reward tokens balance will be higher than the previous one that is stored in _lastRewardBalance. And as such, the subtraction will underflow and revert.

Code Snippet

Tool used

Manual Review

Recommendation

Before making the subtraction, check that _lastRewardBalance is greater than or equal to the current tokens in the contract.. Or you can first call the updatePool() .

0xSmartContract commented 4 months ago