In SDLPoolPrimary.sol contract there is function to stake and lock SDL : onTokenTransfer()
, it does not have minimum limit check for value to be staked & locked which allows malicious users to lock a very minimum amount of SDL [ just greater than 0 ] for maxLockingDuration
and get boost for that over the period.
In onTokenTransfer()
there is no check for minimum allowance of SDL token. Here is the code:
Now any user can lock very less token for maxLockingDuration and as boost is proportional to the length of locking period the user can get unnecessary benefit.
Run this test:
Unnecessary boosts will to give to those bad users.
Manual analysis
Add minimum limit of token to be locked instead of checking for 0 value.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.