Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

Yanev - revert in BribeRewarder.sol #635

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

Yanev - revert in BribeRewarder.sol #635

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

Yanev

Medium

revert in BribeRewarder.sol

Summary

ownerOf check will revert, when deposit function calls _modify, because msg.sender will be the Voter contract

Vulnerability Detail

When someone vote, the Voter.sol is calling the deposit function, which has onlyVoter modifier - which check if msg.sender = address(_caller). Than 'deposit' call '_modify', where msg.sender must be the owner of the tokenId, but it will be the Voter contract - the transaction will revert.

Impact

Can not vote for pools, that have bribe rewarders.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/rewarders/BribeRewarder.sol#L143-L147
https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/rewarders/BribeRewarder.sol#L264-L266

Tool used

Manual Review

Recommendation

remove the ownerOf check.

Duplicate of #39
@github-actions github-actions bot added duplicate High A High severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Urban Burgundy Goblin - revert in BribeRewarder.sol Yanev - revert in BribeRewarder.sol Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A High severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4