Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

Silvermist - addToPosition #_transferSupportingFeeOnTransfer should be called at the beginning of the function #228

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Closed

Silvermist - addToPosition #_transferSupportingFeeOnTransfer should be called at the beginning of the function #228

sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by sherlock-admin4
Loading

Silvermist

Medium

addToPosition #_transferSupportingFeeOnTransfer should be called at the beginning of the function

Summary

When staking, the protocol uses fee-on-transfer tokens and implements the _transferSupportingFeeOnTransfer function to return the transferred amount after fees are deducted. However, in the addToPosition function, the amountToAdd is checked before the transfer, leading to potential issues with zero transfers and incorrect avgDuration calculations.

Vulnerability Detail

When staking, the protocol takes care of using fee on transfer tokens by implementing the _transferSupportingFeeOnTransfer function that returns the transferred amount after the fees.

In addToPosition the amountToAdd before the transfer is used to check if the user is transferring more than 0 and the avgDuration is also caluclated with the amount with the fees.

The transfer happens after this, which creates two problems. A user can transfer a little amount that becomes 0 after fees, but the check to be > 0 will pass since it is done before the transfer. Also, avgDuration will be calculated with wrong amount because it uses the variable value before the transfer.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L397-L428

Tool used

Manual Review

Recommendation

Make the transfer at the beginning of the function and use the amount after the fees for checks and calculations.

Duplicate of #545
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Quick Mahogany Viper - addToPosition #_transferSupportingFeeOnTransfer should be called at the beginning of the function Silvermist - addToPosition #_transferSupportingFeeOnTransfer should be called at the beginning of the function Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4