search

sherlock-audit / 2024-06-magicsea-judging

2 stars 0 forks source link

Icy Basil Seal - In case Stake token and reward token are the same on MlumStaking, the contract will pay out staked tokens as rewards #719

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

Icy Basil Seal

Low/Info

In case Stake token and reward token are the same on MlumStaking, the contract will pay out staked tokens as rewards

Summary

In case the admin sets stake token and reward token to be the same in MlumStaking, the contract will pay out the staked tokens of other users as rewards.

Vulnerability Detail

The MlumStaking contract uses balanceOf to determine the amount of rewards in the contract:

        uint256 accRewardsPerShare = _accRewardsPerShare;
        uint256 rewardBalance = rewardToken.balanceOf(address(this));
        uint256 lastRewardBalance = _lastRewardBalance;

In case the reward token is the staked token, the contract will treat the staked as the reward and pay these out.

Impact

Other users tokens are used as rewards in case someone withdraws

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L82-L97

Tool used

Manual Review

Recommendation

Check in constructor that stake token != reward token.