Fake a deposit and generate rewards forever and claim them back later
Summary
User can fake a deposit and earn rewards as the accounting system can be bypassed. User can later claim tokens he never deposited.
Vulnerability Details
In the deposit function, the token are transferred by the staking user with an amount larger than the actual balance in user's account. As the tokens are attempted to be pulled from user account, the transfer From will fail and returns the boolean as false.
But, since the implementation is ignoring the flag returned, it will update the staking user balance with the amount specified.
The rewards are computed based on the user balance maintained by the contract and hence user will continue to claim rewards for ever until the user decides to withdraw.
At any point, the user can withdraw the tokens from the staking contract and he will receive the tokens he never deposited.
Impact
Protocol will pay for tokens that were never staked.
Protocol will also loose the tokens of other users and incur losses.
The accounting system is broken
Tools Used
Manual Review
Recommendations
transferFrom() and transfer() call's return value should always be checked. Ignoring the return value breaks the accounting system in the protocol.
It is advised to use safetransfer utilities provided by Openzepplien.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.