Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

nikhil840096 - Access Control Vulnerability in MlumStaking.sol:addToPosition #314

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

nikhil840096 - Access Control Vulnerability in MlumStaking.sol:addToPosition #314

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

nikhil840096

Medium

Access Control Vulnerability in MlumStaking.sol:addToPosition

Summary

The addToPosition function in the MlumStaking.sol contract allows any user to add tokens to an existing staking position by providing the tokenId of the position. This introduces a significant security risk, as malicious actors can manipulate other users positions.

Vulnerability Detail

addToPosition function directly depends on function _requireOnlyOperatorOrOwnerOf for checks, while the function _requireOnlyOperatorOrOwnerOf is implemented incorrectly and is vulnerable.
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L140-L143
requireOnlyOperatorOrOwnerOf function calls ERC721Upgradeable._isAuthorized with parameter for owner and sender as msg.sender and mseg.sender.

While if we look at the implementation of _isAuthorized function it is this

 // WARNING: This function assumes that `owner` is the actual owner of `tokenId` and does not verify this assumption.

    function _isAuthorized(address owner, address spender, uint256 tokenId) internal view virtual returns (bool) {
        return
            spender != address(0) &&
            (owner == spender || isApprovedForAll(owner, spender) || _getApproved(tokenId) == spender);
    }

The warning is given above that it actually assumes that owner given is the owner of the tokenId. So here the function fails to protect addToPosition from access control vulnerability.

Impact

There are some impacts as given below :

  1. adding tokens to another user's position, an attacker can manipulate the average stake time, causing the user's position to take longer to unlock.
  2. The unauthorized addition of tokens increases the total amount staked, potentially affecting the user's strategy and plans. The control over one's staking position is compromised, leading to a loss of confidence in the protocol's security.
  3. Function natspec states that it can be also callable by operator , but there is no check for the operator.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L140-L142C17

Tool used

Manual Review

Recommendation

  • There is check required in requireOnlyOperatorOrOwnerOf function for tokenId owner, and also for operator

Duplicate of #378
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Acidic Cloth Pigeon - Access Control Vulnerability in MlumStaking.sol:addToPosition nikhil840096 - Access Control Vulnerability in MlumStaking.sol:addToPosition Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4