_unlockOperators will not be able to unlock any NFTs
Summary
The MlumStaking contract includes a role called _unlockOperators, who are authorized to unlock stakes before the lockup period has ended. However, the withdrawFromPosition() and emergencyWithdraw() functions restrict access to only the owner or approved address, causing calls by _unlockOperators to revert. This results in a denial-of-service (DoS) for the _unlockOperators functionality.
Vulnerability Detail
The MlumStakign contract implements an additional role called the _unlockOperators. These authorized individuals should be able to unlock stakes before their lockup period has passed.
address public _operator; // Used to delegate multiplier settings to project's owners
The _unlockOperators should be able to unlock the stakings either via the withdrawFromPosition() or emergencyWithdraw() functions. Unfortunately, this does not work as both of these functions implement a check that ensures they can only be called by the owner (or the approved address for withdrawFromPosition()). As a result, the calls will revert for the _unlockOperators at every call.
withdrawFromPosition()
function withdrawFromPosition(uint256 tokenId, uint256 amountToWithdraw) external nonReentrant {
_requireOnlyApprovedOrOwnerOf(tokenId);
emergencyWithdraw()
function emergencyWithdraw(uint256 tokenId) external override nonReentrant {
_requireOnlyOwnerOf(tokenId);
Impact
The issue results in the functionality of the _unlockOperators being completely DOSd.
The issue can be mitigated by allowing the _unlockOperators to bypass the check for _requireOnlyApprovedOrOwnerOf() and _requireOnlyOwnerOf() in the two functions.
Lone Opaque Mustang
Low/Info
_unlockOperatorswill not be able to unlock any NFTsSummary
The MlumStaking contract includes a role called _unlockOperators, who are authorized to unlock stakes before the lockup period has ended. However, the withdrawFromPosition() and emergencyWithdraw() functions restrict access to only the owner or approved address, causing calls by _unlockOperators to revert. This results in a denial-of-service (DoS) for the _unlockOperators functionality.
Vulnerability Detail
The MlumStakign contract implements an additional role called the
_unlockOperators. These authorized individuals should be able to unlock stakes before their lockup period has passed.The
_unlockOperatorsshould be able to unlock the stakings either via thewithdrawFromPosition()oremergencyWithdraw()functions. Unfortunately, this does not work as both of these functions implement a check that ensures they can only be called by the owner (or the approved address forwithdrawFromPosition()). As a result, the calls will revert for the_unlockOperatorsat every call.withdrawFromPosition()emergencyWithdraw()Impact
The issue results in the functionality of the
_unlockOperatorsbeing completely DOSd.Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/7fd1a65b76d50f1bf2555c699ef06cde2b646674/magicsea-staking/src/MlumStaking.sol#L497
https://github.com/sherlock-audit/2024-06-magicsea/blob/7fd1a65b76d50f1bf2555c699ef06cde2b646674/magicsea-staking/src/MlumStaking.sol#L537
Tool used
Manual Review
Recommendation
The issue can be mitigated by allowing the
_unlockOperatorsto bypass the check for_requireOnlyApprovedOrOwnerOf()and_requireOnlyOwnerOf()in the two functions.