MorpheusAI

Foundry

22,500 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

User can bypass the minimum amount of staking

tLucky

Summary

An user, after initially staking the minimum required amount, can subsequently bypass this minimum threshold in later transactions. This loophole allows the user to stake amounts lower than the originally intended minimum.

Vulnerability Details

In line 209 of the Distribution.sol file, we have:

require(userData.deposited + amount_ >= pool.minimalStake, "DS: amount too low");

This line of code checks the total deposited amount (userData.deposited + amount_) against the minimal stake. If a user has already deposited an amount meeting the minimum stake in previous transactions, they can subsequently deposit any amount, even if it's below the minimum stake, because userData.deposited is cumulative (line 224).

Proof of concept

it('should revert if amount is less than minimal stake after first staking ', async() => {

const pool = { ...getDefaultPool(), minimalStake: wei(2) };

await distribution.createPool(pool);

// second user is staking for the first time using the minimal amount

await distribution.connect(SECOND).stake(1, wei(2));

await setNextTime(oneDay * 2);

// waiting after two days, he decides to sake an amount below the minimum.

// the transaction doesn't revert.

await expect(distribution.connect(SECOND).stake(1, wei(1))).to.be.revertedWith('DS: amount too low');

});

Impact

This could allow users to bypass the minimum stake requirement after their initial deposit.

Tools Used

Manual audit.

Recommendations

To address the vulnerability, it's advised to modify the smart contract's logic to check only the amount_ being currently staked against the pool.minimalStake. This ensures that each individual staking transaction must meet the minimum stake requirement, regardless of the user's previous deposits.

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

22,500 USDC

nSLOC

1,054

21 USDC / LOC

High Medium

20,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.