Unrestricted Deposit and Withdrawal Amounts
Summary
The contract does not include necessary validation checks for the _amount parameter in the deposit and withdraw functions. This omission allows users to deposit zero tokens and withdraw more tokens than they have staked, leading to potential unexpected behavior or financial loss.
Vulnerability Details
Deposit Function: There is no check to prevent a user from depositing zero tokens. Though this doesn't lead to a direct security risk, it may result in unnecessary state updates and gas costs.
Withdraw Function: The lack of validation on the withdrawal amount poses a more significant risk:
Excessive Withdrawal: A user can potentially withdraw more tokens than they have staked, violating the logical constraints of the staking system.
Impact
Users could experience unexpected behavior, such as the ability to withdraw more tokens than they have staked or unnecessary gas costs for zero deposits.
The integrity of the contract could be compromised, with balances and staking logic not behaving as intended. The lack of constraints could be exploited by malicious actors to drain funds or disrupt the contract's operation.
Tools Used
Manual
Recommendations
Implementing proper input validation can address this vulnerability:
In the deposit function, require that _amount must be greater than zero.
In the withdraw function, require that _amount must be less than or equal to the user's balance.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.