_createLock implementation is wrong. #69
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-bot-5
added
3 (High Risk)
|
141345 marked the issue as duplicate of #225 |
|
thereksfour marked the issue as not a duplicate |
|
thereksfour marked the issue as unsatisfactory: |
c4-judge
added
unsatisfactory
|
thereksfour changed the severity to QA (Quality Assurance) |
|
thereksfour marked the issue as grade-c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-03-abracadabra-money/blob/main/src/staking/LockingMultiRewards.sol#L490
Vulnerability details
Impact
_createLock implementation is wrong.
Proof of Concept
Let assume, lockduration = 7 days, reward duration = 1 days, alice locks 100 amount on january 1, so alice’s lastlockindex unlocktime is set to january 8.
In january 2,alice again locks 100 amount , so this 100 amount should be locked in the lastlockindex as per code comment but this 100 amount is locked in a different lock index.
Let’s see how? On January 2 , when alice locks 100 amounts, function _createLock is called.
See function _createLock, here userLocks[user][_lastLockIndex].unlockTime = january 8 and _nextUnlockTime = january 9. As _userLocks[user][_lastLockIndex].unlockTime < _nextUnlockTime, so this will create new lock index for the user but as per code comment Add to current lock if it's the same unlock time.here _nextUnlockTime will be always greater than last index unlockTime.
Tools Used
manual review
Recommended Mitigation Steps
implement properly _createLock
Assessed type
Error
The text was updated successfully, but these errors were encountered: