This repository has been archived by the owner on Jan 12, 2025. It is now read-only.
PASCAL - User won't get accurate rewards under certain circumstances #567
Labels
Non-Reward
This issue will not receive a payout
Comments
sherlock-admin3
added
the
Duplicate
sherlock-admin4
changed the title
|
Invalid based on #290 (comment) and #290 (comment) comments. |
WangSecurity
removed
Medium
sherlock-admin2
added
Non-Reward
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
PASCAL
Medium
User won't get accurate rewards under certain circumstances
Summary
User won't get full reward if they add to their position when pool is locked
Vulnerability Detail
The owner can lock the pool by calling
setEmergencyUnlock()halting any function that has to do with changing position lock duration or creating new ones entirely.The issue is that
addToPosition()does not have that check thatcreatePosition(), extendLockPosition() and renewLockPosition()which prevents users from calling them when pool is locked so user can extend their postion duration by adding funds to the position. This itself is supposed to be a bug as it was not listed as a known issue but it has a greater impact because an ignorant honest user can come to add to his/her position without knowledge of the lockdown.Inside the function
addToPosition(),getMultiplierByLockDuration(), is called which setslockMultiplierto 0 because pool is locked which is used to calculateposition.amountWithMultiplierandposition.rewrdDebtwhen_updateBoostMultiplierInfoAndRewardDebt()is called at the end of the function. So no matter how long the user staked before the current amountWithMultiplier will be amount multiplied with 1 instead of the right multiplier which will affect the reward. And according to the design users can claim rewards and withdraw funds even when pool is locked.Take this example
bob creates a position for 365 days with 1 ether which makes his amountWithMultiplier 3 ether
owner locks pool to prevent deposit
bob comes and add to his position with extra 0.1 ether and it goes through but his amountWithMultiplier is currently 1.5 ether because lockMultipluer returned zero as pool is locked so when he comes to claim rewards it will multiply it by 1.5 instead of 3.5.
Impact
Inaccurate rewards for users due to protocol design
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L417
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L219
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L658-L667
Tool used
Manual Review
Recommendation
Add a check to ensure users can't add to position when pool is locked as was done in other functions.
The text was updated successfully, but these errors were encountered: