Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

Ryonen - BribeRewarder.deposit Reverts #476

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

Ryonen - BribeRewarder.deposit Reverts #476

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

Ryonen

High

BribeRewarder.deposit Reverts

Summary

BribeRewarder._modify() is an internal function responsible for depositing/withdrawing, calculating rewards, and harvesting. In BribeRewarder, it is used twice: by the deposit function and the claim function. However, the deposit function always reverts.

Vulnerability Detail

The deposit function executes an onlyVoter modifier that does the following:

    function _checkVoter() internal view virtual {
        if (msg.sender != address(_caller)) {
            revert BribeRewarder__OnlyVoter();
        }
    }

This means that deposit can only be called by _caller.

On the other hand, within the _modify function, we have the following condition:

        if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
            revert BribeRewarder__NotOwner();
        }

This requires that, to avoid reverting, the owner of the tokenId must be the contract at the _caller address, which does not make sense.

Impact

The deposit call can only revert.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L71-L74

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L393-L397

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L143

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L264-L266

Tool used

Manual Review

Recommendation

Properly check who the owner of the tokenId is by passing an additional parameter.

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Decent Fuchsia Caterpillar - BribeRewarder.deposit Reverts Ryonen - BribeRewarder.deposit Reverts Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4