Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

scammed - NFT approved users cannot vote #507

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

scammed - NFT approved users cannot vote #507

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

scammed

Medium

NFT approved users cannot vote

Summary

Approved users over lsNFT cannot vote via Voter::vote due to strict if check.

Vulnerability Detail

In MlumStaking.sol, approved users for a given lsNFT can perform any operations, but cannot vote because Voter::vote has strict owner check.

function vote(uint256 tokenId, address[] calldata pools, uint256[] calldata deltaAmounts) external {
    if (pools.length != deltaAmounts.length) revert IVoter__InvalidLength();

    // check voting started
    if (!_votingStarted()) revert IVoter_VotingPeriodNotStarted();
    if (_votingEnded()) revert IVoter_VotingPeriodEnded();

    // check ownership of tokenId
    if (_mlumStaking.ownerOf(tokenId) != msg.sender) { // AUDIT - approved users cannot vote 
        revert IVoter__NotOwner();
    }
    ....
    
    ...
}

Impact

Approved addresses cannot vote, thus losing the purpose of approving lsNFTs, while still being able to perform any other operation in MlumStaking.sol.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/Voter.sol#L161-L163

Tool used

Manual Review

Recommendation

Make MlumStaking::_requireOnlyApprovedOrOwnerOf() public and use it instead of ownerOf().

Duplicate of #378
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 21, 2024
@0xSmartContract 0xSmartContract added Medium A Medium severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jul 27, 2024
@sherlock-admin4 sherlock-admin4 changed the title Soft Mint Lizard - NFT approved users cannot vote scammed - NFT approved users cannot vote Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xSmartContract @sherlock-admin4