Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

Reentrants - BribeRewarder_modify() uses incorrect parameter to check tokenId owner #48

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Closed

Reentrants - BribeRewarder_modify() uses incorrect parameter to check tokenId owner #48

sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by sherlock-admin4
Loading

Reentrants

High

BribeRewarder_modify() uses incorrect parameter to check tokenId owner

Summary

The BribeRewarder._modify() check uses the incorrect parameter of msg.sender to check the tokenId owner.

if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
  revert BribeRewarder__NotOwner();
}

Vulnerability Detail

The flow is Voter.vote() -> Voter._notifyBribes() -> rewarders[i].deposit() -> rewarders[i].modify(), hence msg.sender is the _caller contract, not the actual voter. Can verify this because of the onlyVoter() check as well.

POC

The setup can be found in the gist.
https://gist.github.com/Reentrants/50898e49155a13b9eddbe69ea52c1a19#file-e2etest-t-sol-L175-L191

For brevity, the case is linked below.

function test_incorrect_modify_check() public {
        vm.startPrank(alice);
        staking.createPosition(1e18, 180 days);
        bribeRewarder = BribeRewarder(payable(address(rewarderFactory.createBribeRewarder(IERC20(address(0)), address(tokenA)))));
        bribeRewarder.fundAndBribe{value: 100 wei}(1, 100, 1);
        vm.startPrank(owner);
        voter.startNewVotingPeriod();
        vm.startPrank(alice);
        address[] memory pools = new address[](1);
        pools[0] = address(tokenA);
        uint256[] memory deltaAmounts = new uint256[](1);
        deltaAmounts[0] = 100;

        // voting reverts from incorrect staking NFT owner check
        vm.expectRevert(IBribeRewarder.BribeRewarder__NotOwner.selector);
        voter.vote(1, pools, deltaAmounts);
}

Impact

Users will not be able to vote.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/7fd1a65b76d50f1bf2555c699ef06cde2b646674/magicsea-staking/src/rewarders/BribeRewarder.sol#L264-L266

Tool used

Manual Review

Recommendation

_modify() needs to take in the caller of vote() for verification.

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Lone Opaque Mustang - BribeRewarder_modify() uses incorrect parameter to check tokenId owner Reentrants - BribeRewarder_modify() uses incorrect parameter to check tokenId owner Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin4