First Mlum staker can withdraw all the MlumStaking reward tokens if there are any
Summary
If some amount of reward tokens are going to be added to MlumStaking pool right after its deployment, first staker can use this opportunity to withdraw all the reward tokens from the contract as all the _stakedSupplyWithMultiplier belongs to himself.
on the next call to createPosition, since _stakedSupply is greater than 0 and all _stakedSupplyWithMultiplier belongs to the first staker all the rewards will be allocated to it :
first staker then simply calls harvestPosition(first_position_id) and withdraws all the 100 usdc from the contract.
this simple test (add to MlumStaking.t.sol) demonstrates this issue:
function testGetAllRewards() public {
_rewardToken.mint(address(_pool), 100_000_000);
_stakingToken.mint(ALICE, 2 ether);
vm.startPrank(ALICE);
_stakingToken.approve(address(_pool), 2 ether);
_pool.createPosition(1, 1 days); //_stakedSupply is zero, dont update pool
_pool.createPosition(1 ether, 1 days); //distribute all 100_000_000 rewards to previous supply
_pool.harvestPosition(1); //harvest position and receive all rewards
vm.stopPrank();
assertEq(_rewardToken.balanceOf(address(_pool)), 0);
assertEq(_rewardToken.balanceOf(address(ALICE)), 100_000_000);
}
Impact
In my opinion, impact of this issue could be anywhere from low to high depending on how team is going to allocate rewards to Mlum stakers, if a large amount of usdc is added into the pool before the first position, the damage will be higher.
Code Snippet
Tool used
Manual Review
Recommendation
amount of reward tokens going into MlumStaking contract should be proportional to amount of mlum tokens staked, This ensures that no large amount of reward tokens is available for exploitation by the first staker.
Sticky Hickory Hare
Low/Info
First Mlum staker can withdraw all the MlumStaking reward tokens if there are any
Summary
If some amount of reward tokens are going to be added to MlumStaking pool right after its deployment, first staker can use this opportunity to withdraw all the reward tokens from the contract as all the
_stakedSupplyWithMultiplierbelongs to himself.Vulnerability Detail
Lets assume that
MlumStakingis in its initial state and some amount of usdc (100 usdc) is added into the contract before first position is created. upon creating a new position,_updatePoolis called: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L360for the first position, since
_stakedSupplyis 0, the function simply returns and doesn't do anything: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L397on the next call to
createPosition, since _stakedSupply is greater than 0 and all _stakedSupplyWithMultiplier belongs to the first staker all the rewards will be allocated to it :first staker then simply calls
harvestPosition(first_position_id)and withdraws all the 100 usdc from the contract. this simple test (add to MlumStaking.t.sol) demonstrates this issue:Impact
In my opinion, impact of this issue could be anywhere from low to high depending on how team is going to allocate rewards to Mlum stakers, if a large amount of usdc is added into the pool before the first position, the damage will be higher.
Code Snippet
Tool used
Manual Review
Recommendation
amount of reward tokens going into MlumStaking contract should be proportional to amount of mlum tokens staked, This ensures that no large amount of reward tokens is available for exploitation by the first staker.