MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

In Distribution.sol the function to manage users in a private pool has insufficient logic

Phantomsands

Summary

In Distribution.sol the function manageUsersInPrivatePool() does not account for all amounts, which could lead to locked funds.

Vulnerability Details

Suppose there is User A in a private pool.

User A is staked for by the protocol owner, the minimum staking amount.

Then the owner proceeds to try and withdraw the funds of User a by calling the manage users function.

However the line

} else if (deposited_ > amount_) {

requires that the amount to be withdrawn is strictly less than the amount deposited however this will revert as the withdraw function requires that a user has a minimum stake remaining in the protocol or all funds are withdrawn.

Impact

Locked funds.

Tools Used

Manual Review

Recommendations

I would recommend that the strictly less than be change to less than or equal to. Another approach would be to add another array to state whether the owner is staking or withdrawing, then for the logic to be changed accordingly.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.