Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

nikhil840096 - Voting Malfunction Leading to Core Protocol Vulnerability #430

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Closed

nikhil840096 - Voting Malfunction Leading to Core Protocol Vulnerability #430

sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by sherlock-admin4
Loading

nikhil840096

High

Voting Malfunction Leading to Core Protocol Vulnerability

Summary

Function Voter:vote is responsible to vote for a particular pool, only stakers of Mlum in MlumStaking.sol can call this function, While there is a check which is stopping to execute whole vote function and impacting the core functionality of the protocol.

Vulnerability Detail

When the staker Of Mlum will call vote function with the parameters
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L153-L156
All check will passed and execution will proceed to _notifyBribes
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L211
If we look at the execution of this function
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L221-L229
For each rewarder it will call the deposit function of that rewarder contract, and the rewarder here is BribeRewarder
If we look at BribeRewarder:deposit function
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L143-L147
It has a modifier onlyVoter which checks if the called is the voter contract or not, so this will pass as the msg.sender is the voter contract.
Then it calls _modify function ,if we look at that function
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L260-L267
In starting of the execution of the function there is a check, which checks if the owner of the tokenId(The staking position's tokenId )
is msg.sender or not, if not then it reverts and will halt full execution of vote function. So as msg.sender is the Voter so this will get failed.

Impact

The voting will not work breaking the core functionality of the function.
High

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L260-L267

Tool used

Manual Review

Recommendation

Remove the check in _modify for the owner of the tokenId as it has been already verified in the voter.sol, and add a check in function claim to verify it the msg.sender is the owner of tokenId.

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Acidic Cloth Pigeon - Voting Malfunction Leading to Core Protocol Vulnerability nikhil840096 - Voting Malfunction Leading to Core Protocol Vulnerability Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin4