MorpheusAI

Summary

The createPool function in the mock DistributionV2 contract lacks essential validation checks, posing potential risks related to the pool's payout start, decrease interval, and the prevention of duplicate pools. The absence of these checks could lead to unexpected behavior, disruptions, and complexities in managing the system. The recommended checks aim to enhance the robustness and security of the contract.

Vulnerability Details

1. Payout Start Validation Missing:

   • The createPool function does not check whether pool_.payoutStart is set to a future timestamp. This absence allows the possibility of setting payout start to 0 or a past date.

2. Decrease Interval Validation Missing:

   • The function does not verify if pool_.decreaseInterval is greater than zero. This lack of validation can lead to unexpected behavior, especially if the contract performs calculations involving decreaseInterval.

3. Duplicate Pool Check Missing:

   • The function does not check for duplicate pools before adding them to the pools array. This absence may result in confusion and complexity in managing and maintaining the system, as duplicate pools may be inadvertently added.

4. Even there is no access control, so anyone can call this function.

Impact

1. Payout Start Validation Missing:

   • The absence of a payout start validation check could allow users to set payout start to 0 or a past date. This may impact functions relying on payout start, potentially leading to unexpected behavior.

2. Decrease Interval Validation Missing:

   • Lack of validation for decreaseInterval may introduce vulnerabilities, impacting calculations and potentially causing transaction reverts or unexpected results.

3. Duplicate Pool Check Missing:

   • The absence of a duplicate pool check may lead to confusion and complexities in managing pools, as unintended duplicate entries could be added to the pools array.

4. Anyone can call this

Tools Used

Manual review and analysis

Recommendations

1. Payout Start Validation:

   • Add the following check to ensure that payoutStart is set to a future timestamp:

     require(pool_.payoutStart > block.timestamp, "DS: invalid payout start value");

2. Decrease Interval Validation:

   • Add the following check to ensure that decreaseInterval is greater than zero:

     require(pool_.decreaseInterval > 0, "DS: invalid decrease interval");

3. Duplicate Pool Check:

   • Implement a check to ensure that duplicate pools are not added to the pools array. This can be achieved by verifying the uniqueness of pool attributes before appending a new pool.

4. Add access control.