First Flight #9: Soulmate

Summary

Users may use an opportunity to not stake any tokens at all (or stake small amout) and before claiming the reward, they may deposit as much as they have, immediatelly (expecting the lastClaim period is greater than 7 days) claim the rewards, and withdraw their deposits and use the assets again freely.

Vulnerability Details

The claimReward function on the Staking.sol contract does not log time when a certain amount of tokens was staked, creating an opportunity for a quick deposit-claim-withdraw circle to happen at the end or after the week cycle.

Impact

The staking functionality can be cheated and actually have no funds staked but still allows users to claim rewards by using this trick.

Tools Used

Forge testing

Recommendations

The staking contract should keep a log of staked tokens and the timestamp from when they are staked. In case the user inserts more tokens, the total holdings are increased as well, however, the contract should keep track of the time the tokens spent in the stake to avoid such misuse.

One possible solution may be a combination of mapping and a struct to track the transactions and the staked/withdrawn amounts. When claiming the reward, the function should check each user transaction and determine how many tokens meet the criterion of being staked for at least 7 days since the last claim. Each struct instance (i.e. the transaction) may also keep track of the last withdrawal separately to allow withdrawing for example daily (in case the staker deposits a token when it receives it daily).