Morpheus Owners can change `poolRate` anytime using `editPool` which can change the expected amount received or transferred for users.
Vulnerability Details
The pool rates are fetched using the function getCurrentPoolRate which accepts poolId from User. The issue is that the same state can be changed by owner when he calls editPool to change/update the properties of pool.
In the case owner’s transaction executed before the user’s, the user can suffer losses or unexpected returns. This can be prevented by using boundary params similar to 'slippage' or 'deadline'.
uint256 currentPoolRate_ = *getCurrentPoolRate(poolId*);
https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/Distribution.sol#L161
*stake(msgSender(), poolId, amount*, *getCurrentPoolRate(poolId*));
https://github.com/Cyfrin/2024-01-Morpheus/blob/07c900d22073911afa23b7fa69a4249ab5b713c8/contracts/Distribution.sol#L151
Impact
Unexpected returns/losses/transfers because of change in state (pool properties)
Tools Used
Manual
Recommendations
Users can pass range param (for acceptable rates) after checking the current pool rate similar to passing slippage.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.