Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

dhank - MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved. #639

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

dhank - MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved. #639

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

dhank

High

MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved.

Summary

Wrongly calculated position.lockMultiplier.

Vulnerability Detail

position.lockMultiplier should be actually the value getMultiplierByLockDuration(position.initialLockDuration)

 function _lockPosition(uint256 tokenId, uint256 lockDuration, bool resetInitial) internal {
        ....
         if (resetInitial) {
            require(lockDuration > position.initialLockDuration, "invalid");
            position.initialLockDuration = lockDuration;
        }
        _harvestPosition(tokenId, msg.sender); 

        // update position and total lp supply
        position.lockDuration = lockDuration;
->      position.lockMultiplier = getMultiplierByLockDuration(lockDuration);  //.. @audit initialLockDuration for renewLockDuration because we are not changing the lockduration
        position.startLockTime = currentBlockTimestamp;
        _updateBoostMultiplierInfoAndRewardDebt(position);

        emit LockPosition(tokenId, lockDuration);
    }

When a user renew lockDuration of a position using renewLockPosition() without resetting the initialLockDuration , position.lockMultiplier will be calculated using the new lockDuration which can be less than initialLockDuration.

Impact

position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L509-L514
https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L691-L719

Tool used

Manual Review

Recommendation

position.lockMultiplier = getMultiplierByLockDuration(initialLockDuration);

Duplicate of #138
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 21, 2024
@0xSmartContract 0xSmartContract added Medium A Medium severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels Jul 26, 2024
@sherlock-admin4 sherlock-admin4 changed the title Joyful Basil Swallow - MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved. dhank - MlumStaking.sol::position.lockMultiplier is wrongly calculated resulting the user to earn less rewards than deserved. Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xSmartContract @sherlock-admin4