Skip to content
This repository was archived by the owner on Jan 12, 2025. It is now read-only.

Reentrants - addToPosition() isn't disabled during emergency unlock #15

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 1 comment
Closed

Reentrants - addToPosition() isn't disabled during emergency unlock #15

sherlock-admin2 opened this issue Jul 15, 2024 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by WangSecurity
Loading

Reentrants

Medium

addToPosition() isn't disabled during emergency unlock

Summary

addToPosition() doesn't have the isUnlocked() check that is present in createPosition() and _lockPosition().

Vulnerability Detail

In the event where emergency unlock is activated, locks should be disabled and users should only be able to withdraw positions. However, users are able to add to existing positions with addToPosition() because it doesn't have the isUnlocked() check.

Impact

User action that should be blocked, isn't.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/7fd1a65b76d50f1bf2555c699ef06cde2b646674/magicsea-staking/src/MlumStaking.sol#L397-L428

Tool used

Manual Review

Recommendation

Add the isUnlocked() check for addToPosition().
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Lone Opaque Mustang - addToPosition() isn't disabled during emergency unlock Reentrants - addToPosition() isn't disabled during emergency unlock Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Jul 31, 2024
Open
@WangSecurity
Copy link

Invalid based on this and this comments.

@WangSecurity WangSecurity removed Medium A Medium severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 13, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Aug 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4