MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Logic error allow withdraw before lock time ends

saaj

Summary

_withdraw function in Distribution.sol has a logic error in condition that check current time with that of the pool.payoutStart time.

Vulnerability Details

The || OR logic checks allow the code to be proceed when any one of the two condition is met.

if (pool.isPublic) {
require(
block.timestamp < pool.payoutStart ||
(block.timestamp > pool.payoutStart + pool.withdrawLockPeriod &&
block.timestamp > userData.lastStake + pool.withdrawLockPeriodAfterStake),
"DS: pool withdraw is locked"
);

The first condition in require is block.timestamp < pool.payoutStart which checks condition to allow for withdrawal where current time is less than the time of pool.payoutStart.
The block.timestamp < pool.payoutStart will allow any user to withdraw their amount at any time before the lock time has ended.

Impact

The || OR condition can impact the whole lock time for the pool and disturbing the balance by allowing a staker to withdraw their amount during the lock period.

Recommendations

The recommendation is made to remove the block.timestamp < pool.payoutStart and || OR condition and only check for conditions of second instance in which current time is greater than lock period and stake time.

if (pool.isPublic) {
require(
- block.timestamp < pool.payoutStart ||
(block.timestamp > pool.payoutStart + pool.withdrawLockPeriod &&
block.timestamp > userData.lastStake + pool.withdrawLockPeriodAfterStake),
"DS: pool withdraw is locked"
);
Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.