Insufficient input validation in _createLock()
. This exposes the contract to potential abuse through the creation of invalid lock parameters.
The _createLock()
function is defined as:
there is no validation of the:
_amount
- which could be 0 or an arbitrarily large number
_lockingDuration
- which could exceed the maximum duration or be 0
This could allow users to create locks that:
Have huge boosted balances from enormous _amount
values
Lock funds indefinitely by setting _lockingDuration
to 2^64 - 1 seconds
Avoid locking while still earning rewards by specifying _lockingDuration
as 0
Manipulation of lock boost multipliers
Indefinite locking of funds
Dishonestly earning rewards without actual locking
Vs
Input validation should be added to _createLock()
Additional checks could also be implemented in the calling functions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.