MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Race conditions if many users are staking at the same time

tLucky

Summary

If many users are staking at the same time, an issue might arise from the way the contract calculates the staked amount, which is based on the balance difference before and after the transaction.

Vulnerability Details

On line 203 to 207, we have:

uint256 balanceBefore_ = IERC20(depositToken).balanceOf(address(this));
IERC20(depositToken).safeTransferFrom(_msgSender(), address(this), amount_);
uint256 balanceAfter_ = IERC20(depositToken).balanceOf(address(this));
amount_ = balanceAfter_ - balanceBefore_;

if two users are staking and their transactions are processed close to each other in time, there's a potential issue with the way amount_ is recalculated.

This calculation can lead to incorrect results if the transactions overlap in a way that the balanceBefore_ captures the state partway through another user's deposit. In a high-traffic contract with many concurrent transactions, this could lead to race conditions and incorrect calculations.

Impact

Users might end up with an amount registered in the contract that is either lower or higher than the actual amount they intended to stake.

Tools Used

Manual audit.

Recommendations

It's generally safer to directly use the amount_ value that the user intends to stake, rather than calculating it from the balance changes, to avoid such issues.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.