Closed sherlock-admin4 closed 2 months ago
Since all LP tokens are refunded at the end of the transaction, there is no permanent damage or change in the state of the system. Therefore, the potential harm is limited or non-existent and therefore considered low. Also This issue was submitted as low/info.
Sticky Hickory Hare
Low/Info
Read-only reentrancy in MasterChefV2::deposit allows an address to take control of all lp tokens and inflate total supply of a pid
Summary
MasterChefV2::deposit(pid, arbitrary_amount
) ==>MasterChefRewarder.onModify
==>MasterChefRewarder._claim
==> callaccount
(depositor) withreward
amount of ETH ==> attacker contract ==>MasterChefV2::withdraw(pid, arbitrary_amount)
==> send lp tokens ofpid
to attacker contractVulnerability Detail
MasterChefV2::deposit(pid,amount)
modifies user state, before transferring LP tokens from user to the pool:the balance of
msg.sender
is increased byamount
: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MasterchefV2.sol#L544then if
pid
has anextraRewarder
,MasterChefRewarder::onModify
hook is called: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MasterchefV2.sol#L560looking at implementation of
MasterChefRewarder::onModify
, we can see that at the end of the call,_claim
function sendsreward
toaccount
using_safeTransferTo
function: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/MasterChefRewarder.sol#L77and if reward token is address(0), it calls
account
withreward
amount of ETH: https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BaseRewarder.sol#L324at this point,
account
which is a malicious contract takes control of the call and withdraws all the lp tokens frompid
:However at the end of this call, all LP tokens must be paid back:
this issue provides a flash-loan functionality to take flash loan of LP tokens but with zero fees!
Impact
currently, i could not find any impacts for this issue, as user has to pay all the LP tokens back to the MasterChefV2 and all state changes will be reset to what was before. there might be some parts of the system which are OOS for this audit, but could be affected by this read-only reentrancy since total supply of the target
pid
is inflated by this attack.Code Snippet
Tool used
Manual Review
Recommendation
use a
nonReentrant
modifier onMasterChefV2
functions.