Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

radin200 - DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo #211

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

radin200 - DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo #211

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

radin200

High

DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo

Summary

DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo, due to bad validation

Vulnerability Detail

When approved to tokenIds user(not owner), calls MlumStaking::harvestPositionsTo, he is going to face "FORBIDDEN" revert, due to require((msg.sender == tokenOwner && msg.sender == to),"FORBIDDEN");, that always requires msg.sender == tokenOwner, which is not intended as we can see from the comment Can only be called by lsNFT's owner or approved address

/**
     * @dev Harvest from multiple staking positions to "to" address
     *
     * Can only be called by lsNFT's owner or approved address
     */
function harvestPositionsTo(uint256[] calldata tokenIds, address to) external override nonReentrant {
        _updatePool();

        uint256 length = tokenIds.length;

        for (uint256 i = 0; i < length; ++i) {
            uint256 tokenId = tokenIds[i];
            _requireOnlyApprovedOrOwnerOf(tokenId);
            address tokenOwner = ERC721Upgradeable.ownerOf(tokenId);
            // if sender is the current owner, must also be the harvest dst address
            // if sender is approved, current owner must be a contract
            require(
                (msg.sender == tokenOwner && msg.sender == to), // legacy || tokenOwner.isContract()
                "FORBIDDEN"
            );

            _harvestPosition(tokenId, to);
            _updateBoostMultiplierInfoAndRewardDebt(_stakingPositions[tokenId]);
        }
    }

Impact

DoS when approved address tries to harvest multiple positions

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L465-L489

Tool used

Manual Review

Recommendation

function harvestPositionsTo(uint256[] calldata tokenIds, address to) external override nonReentrant {
        _updatePool();

        uint256 length = tokenIds.length;

        for (uint256 i = 0; i < length; ++i) {
            uint256 tokenId = tokenIds[i];
            _requireOnlyApprovedOrOwnerOf(tokenId);
            address tokenOwner = ERC721Upgradeable.ownerOf(tokenId);
            // if sender is the current owner, must also be the harvest dst address
            // if sender is approved, current owner must be a contract
---         require(
---             (msg.sender == tokenOwner && msg.sender == to), // legacy || tokenOwner.isContract()
---             "FORBIDDEN"
---         );
+++         if((msg.sender == tokenOwner && msg.sender != to) && tokenOwner.code.length == 0) revert("FORBIDDEN");

            _harvestPosition(tokenId, to);
            _updateBoostMultiplierInfoAndRewardDebt(_stakingPositions[tokenId]);
        }
    }

Duplicate of #329
@github-actions github-actions bot mentioned this issue Jul 21, 2024
Closed
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Stable Grape Panda - DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo radin200 - DoS if approved address tries to harvest multiple positions with MlumStaking::harvestPositionsTo Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4