Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

iamnmt - Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as an attacker will call MlumStaking#addToPosition to user's position at the end of locking period #152

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

iamnmt - Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as an attacker will call MlumStaking#addToPosition to user's position at the end of locking period #152

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

iamnmt

Medium

Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as an attacker will call MlumStaking#addToPosition to user's position at the end of locking period

Summary

Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as the attacker will call MlumStaking#addToPosition at the end of locking period.

Vulnerability Detail

Since the check _requireOnlyOperatorOrOwnerOf always passes

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L398

An attacker can call MlumStaking#addToPosition to a user's position to increase its locking duration. The new locking duration is (remainingLockTime * position.amount + amountToAdd * position.initialLockDuration) / (position.amount + amountToAdd). At the end of a locking period remainingLockTime will tend to zero. To lock user's fund more than a week, the attacker will add to the position with amountToAdd such that

(amountToAdd * position.initialLockDuration) / (position.amount + amountToAdd) > 7 days
=> amountToAdd > (7 days * position.amount) / (position.initialLockDuration - 7 days)

Required that position.initialLockDuration > 7 days. A position with large position.initialLockDuration will make it cheaper for the attacker to carry out this attack.

Impact

Locking user's funds in MlumStaking position more than a week.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L140

Tool used

Manual Review

Recommendation

Fix the MlumStaking#_requireOnlyOperatorOrOwnerOf function

src/MlumStaking.sol:140

    function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
        // isApprovedOrOwner: caller has no rights on token
-       require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");
+       require(ERC721Upgradeable._isAuthorized(ERC721Upgradeable.ownerOf(tokenId), msg.sender, tokenId), "FORBIDDEN");
    }

Duplicate of #378
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Acidic Sable Loris - Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as an attacker will call MlumStaking#addToPosition to user's position at the end of locking period iamnmt - Incorrect ownership check in MlumStaking#addToPosition will cause locking user's funds more than a week as an attacker will call MlumStaking#addToPosition to user's position at the end of locking period Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4