Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

utsav - Voting will be DoS in _modify() #481

Closed
sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Closed

utsav - Voting will be DoS in _modify() #481

sherlock-admin2 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jul 15, 2024
edited by sherlock-admin4
Loading

utsav

Medium

Voting will be DoS in _modify()

Summary

Voting will be DoS in _modify() due to strict require statement

Vulnerability Detail

When user votes in Voter.sol, it calls deposit() in bribeRewarder.sol & again deposit() calls _modify()

  function deposit(uint256 periodId, uint256 tokenId, uint256 deltaAmount) public onlyVoter {
        _modify(periodId, tokenId, deltaAmount.toInt256(), false);
    }
 function _modify(uint256 periodId, uint256 tokenId, int256 deltaAmount, bool isPayOutReward)
        private
        returns (uint256 rewardAmount)
    {
   @>     if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
            revert BribeRewarder__NotOwner();
        }
    //Code...
    }

In the above code, we can see onlyVoter contract can call this function but the issue is in _modify() which checks that only owner of the tokenId can call this otherwise it will revert. As result when voter.sol call this _modify(), it will revert because voter.sol is not the owner of any tokenId

Impact

Voting will be DoSed in _modify()

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L153C4-L229C6
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L144
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L263C6-L266C10

Tool used

VS code

Recommendation

Remove the check

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Joyful Arctic Aardvark - Voting will be DoS in _modify() utsav - Voting will be DoS in _modify() Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin4