User can deposit more than his balance
Summary
In Staking.deposit() function there is no check that the _amount deposited should not exceed msg.sender.balance
Vulnerability Details
The deposit() in Staking.sol first performs the transfer for msg.sender to the address of the contract for the _amount specified by the caller.Then calls the internal function updateFor for msg.sender in order to update the index and then updates the balances mapping for msg.sender with the _amount. So not following CEI pattern is not a big issue but before the token transfer , a check that the deposited amount does not exceed balanceOf(msg.sender) is missing. This means that a user can deposit more tokens than he possesses.
Impact
Let's say Bob has 1 WBTC and wants to deposit it in Staking.sol. We all know everything on the blockchain is public and Bob
examines the code before depositing. He notices that the function deposit does not check his balance and he deposits 2 WBTC tokens although he has only one. As a result the Staking.sol contract will think that Bob has deposited 2 WBTC as this will be the state. Bob earns higher interest.
Tools Used
Manual Review
Recommendations
Consider implementing the following check before the transfer of deposit tokens happen:
if(balanceOf(msg.sender) < _amount) revert InsufficientAmount();
Please note that this custom error is non-existent in the current code. I did not propose a require statement because the protocol uses custom errors.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.