MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

tokens are always transferred from the owner when staking in private pools

fondevs

Summary

the function _stake(address user_, uint256 poolId_, uint256 amount_, uint256 currentPoolRate_) always transfers tokens from the msg.sender and not the user when staking in a private pool

Vulnerability Details

private pools can only be managed by the protocol owner by calling the function

function manageUsersInPrivatePool(
uint256 poolId_,
address[] calldata users_,
uint256[] calldata amounts_
) external onlyOwner poolExists(poolId_) {
require(!pools[poolId_].isPublic, "DS: pool is public");
require(users_.length == amounts_.length, "DS: invalid length");
uint256 currentPoolRate_ = _getCurrentPoolRate(poolId_);
for (uint256 i; i < users_.length; ++i) {
address user_ = users_[i];
uint256 amount_ = amounts_[i];
uint256 deposited_ = usersData[user_][poolId_].deposited;
if (deposited_ < amount_) {
_stake(user_, poolId_, amount_ - deposited_, currentPoolRate_);
} else if (deposited_ > amount_) {
_withdraw(user_, poolId_, deposited_ - amount_, currentPoolRate_);
}
}
}

if the deposited is greater than the updated amount the difference is staked by calling the function _stake(address user_, uint256 poolId_, uint256 amount_, uint256 currentPoolRate_), however this function incorrectly transfers tokens from msg.sender which can only be the owner essentially staking the owners tokens for other users

Impact

the impact of this vulnerability is loss of tokens to the protocol owner

Tools Used

manual audit

Recommendations

change the line IERC20(depositToken).safeTransferFrom(_msgSender(), address(this), amount_); to IERC20(depositToken).safeTransferFrom(user_, address(this), amount_);

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.