PUSH0 - MLUM's voting power can be double-spent if the position's expiry coincides with a period

[sherlock-admin2]

PUSH0

High

MLUM's voting power can be double-spent if the position's expiry coincides with a period

Summary

Per the code comments, the condition for a position to be able to vote is that the initial lock duration is at least 3 months, and the position is locked.

// check if _minimumLockTime >= initialLockDuration and it is locked

Per the docs:

The overall lock needs to be longer then 90 days and the remaining lock period needs to be longer then the epoch time.

However, should a position's expiry coincides with a voting period (which is literally any possible time because voting periods are consecutive and continuous), then a user is able to vote twice in one period for the same amount of MLUM by withdrawing then locking a new position.

Vulnerability Detail

Consider the following scenario:

• Alice locks MLUM for 3 months, so she is eligible to vote.
• Alice's lock position expires in 1 week, but the voting epoch has just begun and will end in 2 weeks.
• Alice votes for her pool now.
• After one week, Alice withdraws her lock position and gets back her MLUM. However she then locks the exact same position again, and vote again in the same period.

If the period has a bribe, then it also has an additional effect of Alice being able to get more bribes for the same MLUM amount.

Impact

Voting power of each MLUM can be double-spent, causing inflated rewards for a pool, and unfair bribe distributions if any.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L170-L178

Tool used

Manual Review

Recommendation

The condition for voting eligibility should be the lock position expires after the voting epoch ends, not just at the time of voting.

Duplicate of #166