This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
hickuphh3 - Funds can be stolen because of incorrect update to ownerToRollOverQueueIndex for existing rollovers
#2
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
This was referenced Apr 3, 2023
Closed
Closed
Closed
This was referenced Apr 3, 2023
Closed
|
good catch |
|
fix PR: Y2K-Finance/Earthquake#128 |
|
Fix looks good. Assigning index has been moved inside else block |
3xHarry
added a commit
to Y2K-Finance/Earthquake
that referenced
this issue
May 10, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
hickuphh3
high
Funds can be stolen because of incorrect update to
ownerToRollOverQueueIndexfor existing rolloversSummary
In the case where the owner has an existing rollover, the
ownerToRollOverQueueIndexincorrectly updates to the last queue index. This causes thenotRollingOvercheck to be performed on the incorrect_id, which then allows the depositor to withdraw funds that should've been locked.Vulnerability Detail
In
enlistInRollover(), if the user has an existing rollover, it overwrites the existing data:However, regardless of whether the user has an existing rollover, the
ownerToRolloverQueueIndexpoints to the last item in the queue:Thus, the
notRollingOvermodifier will check the incorrect item for users with existing rollovers:allowing the user to withdraw assets that should've been locked.
Impact
Users are able to withdraw assets that should've been locked for rollovers.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L252-L257
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L268
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L755-L760
Tool used
Manual Review
Recommendation
The
ownerToRollOverQueueIndexshould be pointing to the last item in the queue in theelsecase only: when the user does not have an existing rollover queue item.} else { // if not, add to queue rolloverQueue.push( QueueItem({ assets: _assets, receiver: _receiver, epochId: _epochId }) ); + ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length; } - ownerToRollOverQueueIndex[_receiver] = rolloverQueue.length;The text was updated successfully, but these errors were encountered: