`Streets::unstake` function mints incorrect amount of token to the staker of rapper NFT
Summary
The protocol allows users to stake their rapper NFT and earn CRED token on the basis of for how long the NFT is staked in the Streets contract.
Here, CRED token is an ERC20 based token with 18 decimals. The expected protocol implementation is to mint 1 CRED token per day (max day - 4), to the users who stakes their rapper NFT, but in actual practice it only mints 0.000000000000000001 token.
Vulnerability Details
The vulnerability is present in the Streets contract which allows users to earn CRED tokens for their staked rapper.
The CRED token is an ERC20 contract with 18 decimals, therefore 1 CRED token is considered equivalent to 1018 as additional 18 zeroes are used for representing the floating values.
The protocol mentions to mint 1 CRED token per day staked for a maximum of 4 days, therefore the equivalent amount of CRED token to mint by considering the decimals in solidity will be 1018 but it only mints 0.000000000000000001.
Therefore, users get very negligible amount of CRED token.
Impact
Users will receive very negligible amount of CRED token i.e., only 0.000000000000000001
Tools Used
Manual Review
Recommendations
Mint 1018 tokens by taking in consideration the 18 decimals being used for CRED token, then only it will be equivalent to 1 CRED token.
Lead Judging Commences
`unstake` function mints incorrect amount of token
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.