Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

neogranicen - User will lose all his secondary rewards if the extra rewarder gets updated while he is staking #649

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Closed

neogranicen - User will lose all his secondary rewards if the extra rewarder gets updated while he is staking #649

sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by WangSecurity
Loading

neogranicen

Medium

User will lose all his secondary rewards if the extra rewarder gets updated while he is staking

Summary

If a user stakes tokens in the masterchefV2 and the Extra Rewarder gets changed while the user tokens are staked he will loose all his rewards from the previous rewarder

Vulnerability Detail

A users rewards from the masterchef rewarder are sent to him everytime he: deposits,withrawls,claim rewards or the trustee deposits for him and this is done by calling onModify

  • Now alice deposits 100 tokens
  • Now non of the actions decribed above the causes onModify to be called on here account happen
  • After 10 days at a rate of 1 reward token per day for 1 deposited token she has 1000 reward tokens.
  • Before alice claims the rewards _setExtraRewarder is called and the extra rewarder is changed
  • now alice calls claim but recieves nothing

Impact

The issue outlined above will cause loss of funds to users who did not get their rewards yet and the damage will depend on how frequently the rewarder is updated

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MasterchefV2.sol#L488

Tool used

Manual Analysis

Recommendation

Ensure that all the rewards from the old extra rewarder are distrubuted before setting a new one
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin2 sherlock-admin2 changed the title Quaint Alabaster Alligator - User will lose all his secondary rewards if the extra rewarder gets updated while he is staking neogranicen - User will lose all his secondary rewards if the extra rewarder gets updated while he is staking Jul 30, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jul 30, 2024
@chinmay-farkya chinmay-farkya mentioned this issue Aug 1, 2024
Open
@WangSecurity
Copy link

Invalid based on the discussion under #460

@WangSecurity WangSecurity removed Medium A Medium severity issue. Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Aug 20, 2024
@sherlock-admin2 sherlock-admin2 added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue labels Aug 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4