Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

KupiaSec - Improper msg.sender check in the BribeRewarder._modify() function #580

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

KupiaSec - Improper msg.sender check in the BribeRewarder._modify() function #580

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

KupiaSec

High

Improper msg.sender check in the BribeRewarder._modify() function

Summary

When the _modify() function is called within the deposit() function, it will be reverted because of an incorrect check on msg.sender.

Vulnerability Detail

The deposit() function includes the onlyVoter modifier, indicating that msg.sender is the Voter contract. Consequently, when calling the _modify() function, it will encounter a revert at L264 due to the requirement for msg.sender to be the owner of tokenId, not the Voter contract. This renders voting impossible, as the Voter.vote() function triggers the deposit() function via the Voter._notifyBribes() function.

    function deposit(uint256 periodId, uint256 tokenId, uint256 deltaAmount) public onlyVoter {
        _modify(periodId, tokenId, deltaAmount.toInt256(), false);

        emit Deposited(periodId, tokenId, _pool(), deltaAmount);
    }

----------------------

    function _modify(uint256 periodId, uint256 tokenId, int256 deltaAmount, bool isPayOutReward)
        private
        returns (uint256 rewardAmount)
    {
264     if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
            revert BribeRewarder__NotOwner();
        }

        ...
    }

Impact

Voting is impossible, resulting in the breakdown of the core functionality of the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L143-L147

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/rewarders/BribeRewarder.sol#L264-L266

Tool used

Manual Review

Recommendation

The msg.sender check should not be applied when the _modify() function is called within the deposit() function.

    function _modify(uint256 periodId, uint256 tokenId, int256 deltaAmount, bool isPayOutReward)
        private
        returns (uint256 rewardAmount)
    {
-       if (!IVoter(_caller).ownerOf(tokenId, msg.sender)) {
+       if (isPayOutReward && !IVoter(_caller).ownerOf(tokenId, msg.sender)) {
            revert BribeRewarder__NotOwner();
        }

        ...
    }

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Smooth Taffy Moth - Improper msg.sender check in the BribeRewarder._modify() function KupiaSec - Improper msg.sender check in the BribeRewarder._modify() function Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4