LeFy - No MinimumLockDuration in Mlumstaking.sol lets anyone stake and steal rewards

[sherlock-admin2]

LeFy

High

No MinimumLockDuration in Mlumstaking.sol lets anyone stake and steal rewards

Summary

Since there is no minimumlockDuration for staking anyone can a create a staking position and claim rewards with very low lockDuration whenever there is large rewardtoken deposit is made

Vulnerability Detail

In Mlumstaking.sol , when a staking position is created, there is no minimumLockDuration check and the reward calculation depends on the amount of rewardtoken deposited and this lets anyone to create a position with very low lockDuration and claim rewards whenever there is large rewardtoken deposit is made.

    function createPosition(uint256 amount, uint256 lockDuration) external override nonReentrant {
        // no new lock can be set if the pool has been unlocked
        if (isUnlocked()) {
            require(lockDuration == 0, "locks disabled");
        }

        _updatePool();

        // handle tokens with transfer tax
        amount = _transferSupportingFeeOnTransfer(stakedToken, msg.sender, amount);
        require(amount != 0, "zero amount"); // createPosition: amount cannot be null

        // mint NFT position token
        uint256 currentTokenId = _mintNextTokenId(msg.sender);

        // calculate bonuses
        uint256 lockMultiplier = getMultiplierByLockDuration(lockDuration);
        uint256 amountWithMultiplier = amount * (lockMultiplier + 1e4) / 1e4;

        // create position
        _stakingPositions[currentTokenId] = StakingPosition({
            initialLockDuration: lockDuration,
            amount: amount,
            rewardDebt: amountWithMultiplier * (_accRewardsPerShare) / (PRECISION_FACTOR),
            lockDuration: lockDuration,
            startLockTime: _currentBlockTimestamp(),
            lockMultiplier: lockMultiplier,
            amountWithMultiplier: amountWithMultiplier,
            totalMultiplier: lockMultiplier
        });

        // update total lp supply
        _stakedSupply = _stakedSupply + amount;
        _stakedSupplyWithMultiplier = _stakedSupplyWithMultiplier + amountWithMultiplier;

        emit CreatePosition(currentTokenId, amount, lockDuration);
    }

Repolink

The attacker can also exploit a front-running attack , the attacker monitors the blockchain for incoming transactions that would deposit a large amount of reward tokens into the staking pool. Just before the large reward deposit transaction is confirmed, the attacker creates a new position by calling the createPosition function with the amount of staked tokens. Since _updatePool and _harvestPosition functions are called during the reward distribution, the newly created position will be eligible to receive a share of the newly deposited rewards even if the lock duration is very short .The attacker can withdraw shortly after claiming the rewards, thus earning a disproportionate amount of rewards relative to their stake duration.

Impact

Anyone can create a position with very low lockDuration and claim rewards whenever there is large rewardtoken deposit is made.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L354
https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L442
https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L574

Tool used

Manual Review

Recommendation

Implement a minimumLockDuration requirement

Duplicate of #74