stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

If maxLockingDuration is changed to a lower value, existing users will still need to use the old duration

peanuts

Summary

If the owner decreases the maxLockingDuration, users cannot change their maxLock and will have to wait for the original time to get their tokens back.

Vulnerability Details

The owner can change the maxLockingDuration at any time

function setMaxLockingDuration(uint64 _maxLockingDuration) external onlyOwner {

maxLockingDuration = _maxLockingDuration;

emit SetMaxLockingDuration(_maxLockingDuration);

}

Let's say the maxLockingDuration is 4 years and the owner intends to change it to 2 years because owner thinks that 4 years is too long.

Users already created a lock for 4 years (max duration)

If a user wants to initiate an unlock, he has to still wait for 2 years (halfduration) instead of waiting for 1 year now.

function initiateUnlock(uint256 _lockId) external onlyLockOwner(_lockId, msg.sender) updateRewards(msg.sender) {

if (locks[_lockId].expiry != 0) revert UnlockAlreadyInitiated();

> uint64 halfDuration = locks[_lockId].duration / 2;

> if (locks[_lockId].startTime + halfDuration > block.timestamp) revert HalfDurationNotElapsed();

Users also cannot change their lock duration to 2 years. The only way to change lock duration is through extendLockDuration(), which calls _storeUpdatedLock() and calls _updateLock().

_updateLock() in SDLPool will check if the locking duration is less than the lock.duration and whether the lock.expiry == 0.

function _updateLock(

Lock memory _lock,

uint256 _amount,

uint64 _lockingDuration

) internal view returns (Lock memory) {

if ((_lock.expiry == 0 || _lock.expiry > block.timestamp) && _lockingDuration < _lock.duration) {

revert InvalidLockingDuration();

}

If a user wants to change the lock duration from 4 years to 2 years, _lock.duration will be 4 years, _lockingDuration() will be 2 years. _lock.expiry will be 0, so the if statement will pass, resulting in revert.

This means that a user cannot change the maxlock duration from 4 years to 2 years.

Impact

New users will be able to reap the benefit of a smaller maxlock duration, and old users will be penalized by having to wait for the old duration.

Tools Used

VSCode

Recommendations

Recommend being fair for new and old users, and make sure that all lock duration can be changed accordingly when maxLockDuration is changed by the owner.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.