Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

KupiaSec - Unclaimed rewards from the emergencyWithdraw() function remain permanently locked in the MlumStaking contract #589

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

KupiaSec - Unclaimed rewards from the emergencyWithdraw() function remain permanently locked in the MlumStaking contract #589

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

KupiaSec

High

Unclaimed rewards from the emergencyWithdraw() function remain permanently locked in the MlumStaking contract

Summary

When using the emergencyWithdraw() function, rewards are not sent to the user, and the unclaimed rewards become permanently locked in the MlumStaking contract.

Vulnerability Detail

When the emergencyWithdraw() function is called, the harvest process is skipped, so any accumulated rewards are not sent to the user. Additionally, there is no mechanism to release the user's unclaimed rewards. As a result, those rewards become permanently locked in the MlumStaking contract, as there is no sweep function to retrieve them.

    function emergencyWithdraw(uint256 tokenId) external override nonReentrant {
        _requireOnlyOwnerOf(tokenId);

        StakingPosition storage position = _stakingPositions[tokenId];

        // position should be unlocked
        require(
            _unlockOperators.contains(msg.sender)
                || (position.startLockTime + position.lockDuration) <= _currentBlockTimestamp() || isUnlocked(),
            "locked"
        );
        // emergencyWithdraw: locked

        uint256 amount = position.amount;

        // update total lp supply
        _stakedSupply = _stakedSupply - amount;
        _stakedSupplyWithMultiplier = _stakedSupplyWithMultiplier - position.amountWithMultiplier;

        // destroy position (ignore boost points)
        _destroyPosition(tokenId);

        emit EmergencyWithdraw(tokenId, amount);
        stakedToken.safeTransfer(msg.sender, amount);
    }

Impact

Rewards not claimed during the emergencyWithdraw() function become permanently locked in the MlumStaking contract.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L536-L560

Tool used

Manual Review

Recommendation

It is recommended to either:

  1. Release the unclaimed rewards in the emergencyWithdraw() function by subtracting the unclaimed amount from _lastRewardBalance.
+       _lastRewardBalance -= unclaimedRewards; // unclaimedRewards should be calculated
  1. Implement a separate sweep function to retrieve the unclaimed rewards.

Duplicate of #460
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Smooth Taffy Moth - Unclaimed rewards from the emergencyWithdraw() function remain permanently locked in the MlumStaking contract KupiaSec - Unclaimed rewards from the emergencyWithdraw() function remain permanently locked in the MlumStaking contract Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Aug 1, 2024
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4