stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

change in `LinearBoostController` across chains can lead to users loss of funds

fondevs

Summary

if the maxLockingDuration in the LinearBoostController is different across chains, and a user transfers his lock from the chain with the smaller maxLockingDuration to the larger one, and transfers tokens to that lockId with the same lockingduration, if the new calculated boostedAmount is less than the former one, his transfered funds will not be added to his balance.

Vulnerability Details

the function to executeQueuedOperations is defined as so

function executeQueuedOperations(uint256[] memory _lockIds) external {
_executeQueuedLockUpdates(msg.sender, _lockIds);
_mintQueuedNewLocks(msg.sender);
}

in the function _executeQueuedLockUpdates(msg.sender, _lockIds)
the int256 boostAmountDiff = int256(updateLockState.boostAmount) - int256(curLockState.boostAmount);
if the boostAmountDiff is negative, the lock.expiry is set to the new lock expiry and the boostAmount is set to 0 but the token transferred by the user is not added to their balance

Impact

the difference in maxLockingDuration can lead to loss of funds for users

Tools Used

manual audit

Recommendations

always ensure that maxBoost and maxLockingDuration are consistent across chains or prevent users from transfering their tokens if there is difference in maxLockingDuration

Updates

Lead Judging Commences

0kage Lead Judge
over 1 year ago
0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

negative boostdiff

negative boost diff caused by lowering max boost or increasing max duration can trigger unlocks

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.