A generic user can use Staking::deposit
function for staking loveToken and earn the rewards. It isn't necessary to be a soulmate to deposit the loveToken.
If a soulmate sends the loveToken to a generic user, this can be deposited into the Staking contract for earning rewards. The Staking::claimRewards
function calculates the rewards starting to evaluate the ownerToId(msg.sender)
. The generic user hasn't an Id
and the protocol assigns to him/her the value 0. But the Id = 0
is the id of the first soulmate. This leads to a wrong rewards calculation of the user.
This vulnerability is correlated to the reported vulnerability #4 "Staking::claimRewards Incorrect Calculation of Rewards Based on Soulmate Creation Time".
Manual review
Modify the claimRewards function to use the deposit timestamp as the starting point for calculating rewards. Implement a mechanism to track the first deposit timestamp for each user and ensure that the lastClaim mapping is updated accordingly. Consider adding checks to prevent users from claiming rewards before making a deposit.
High severity, as it allows any pending user to claim staking rewards without owning a soulmate NFT by - Obtaining love tokens on secondary markets - Transfer previously accrued love tokens via airdrops/rewards to another account and abusing the `deposit()` function
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.