stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: medium
Invalid

Insufficient validation in `_createLock()` allows manipulation, indefinite locking, and dishonest rewards.

Summary

Insufficient input validation in _createLock(). This exposes the contract to potential abuse through the creation of invalid lock parameters.

Vulnerability Details

The _createLock() function is defined as:

function _createLock(uint256 _amount, uint64 _lockingDuration) internal view returns (Lock memory) {
uint256 boostAmount = boostController.getBoostAmount(_amount, _lockingDuration);
uint64 startTime = _lockingDuration != 0 ? uint64(block.timestamp) : 0;
return Lock(_amount, boostAmount, startTime, _lockingDuration, 0);
}

there is no validation of the:

  • _amount - which could be 0 or an arbitrarily large number

  • _lockingDuration - which could exceed the maximum duration or be 0

This could allow users to create locks that:

  • Have huge boosted balances from enormous _amount values

  • Lock funds indefinitely by setting _lockingDuration to 2^64 - 1 seconds

  • Avoid locking while still earning rewards by specifying _lockingDuration as 0

Impact

  • Manipulation of lock boost multipliers

  • Indefinite locking of funds

  • Dishonestly earning rewards without actual locking

Tools Used

Vs

Recommendations

Input validation should be added to _createLock()

function _createLock(uint256 _amount, uint64 _lockingDuration) internal view {
+ if (_amount == 0) revert InvalidAmount();
+ if (_lockingDuration == 0 || _lockingDuration > MAX_LOCK_DURATION) {
+ revert InvalidLockDuration();
}
// Create lock
}

Additional checks could also be implemented in the calling functions.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.