Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

blackhole - DoS Vulnerability in the deposit Function of BribeRewarder contract #205

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

blackhole - DoS Vulnerability in the deposit Function of BribeRewarder contract #205

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

blackhole

High

DoS Vulnerability in the deposit Function of BribeRewarder contract

Summary

The deposit function in BribeRewarder always reverts due to a logical error.
This function is intended to be called by the voter contract when a user votes.
However, the _modify function, which is called within deposit, checks if the msg.sender is the owner of the tokenID.
Since the msg.sender is actually the voter contract and not the user, this check fails, causing the deposit function to revert and preventing the user from voting.

Vulnerability Detail

The deposit function includes the onlyVoter modifier, which ensures the msg.sender is the voter contract.
Inside the deposit function, the _modify function is called.
The _modify function checks if the msg.sender is the owner of the tokenID.
As the msg.sender is the voter contract (and not the actual user), this check fails, causing the deposit function to revert.

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L143-L147

    function deposit(uint256 periodId, uint256 tokenId, uint256 deltaAmount) public onlyVoter {
        _modify(periodId, tokenId, deltaAmount.toInt256(), false); // @audit -high _caller is ownerOf(tokenId)?

        emit Deposited(periodId, tokenId, _pool(), deltaAmount);
    }

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L260

    function _modify(uint256 periodId, uint256 tokenId, int256 deltaAmount, bool isPayOutReward)
        private
        returns (uint256 rewardAmount)
    {
        if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {  // @audit msg.sender != owner of tokenId
            revert BribeRewarder__NotOwner();
        }
        ...
    }

Impact

Due to this issue, users are unable to vote, BribeRewarder contract cannot be used.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L144

Tool used

Manual Review

Recommendation

Update the _modify function to allow both the owner of the tokenID and the voter contract to use it.

    function _modify(uint256 periodId, uint256 tokenId, int256 deltaAmount, bool isPayOutReward)
        private
        returns (uint256 rewardAmount)
    {
-        if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
+        if (!IVoter(_caller).ownerOf(tokenId, msg.sender) && msg.sender != _caller) {
            revert BribeRewarder__NotOwner();
        }

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Proud Coral Terrier - DoS Vulnerability in the deposit Function of BribeRewarder contract blackhole - DoS Vulnerability in the deposit Function of BribeRewarder contract Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4