First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

The `deposit` function in the Staking contract lacks proper validation to check if there are remaining LoveToken rewards in the staking contract vault before allowing users to deposit tokens

0xVinylDavyl

Summary

The deposit function in the Staking contract lacks proper validation to check if there are remaining LoveToken rewards in the staking contract vault before allowing users to deposit tokens. This vulnerability could potentially lead to users depositing tokens without the expectation of receiving rewards.

Vulnerability Details

The deposit function does not include a check to verify if there are remaining LoveToken rewards in the staking contract vault before users can deposit tokens. As a result, users can deposit tokens without being aware that no rewards are available, leading to financial losses for users who expect to receive rewards for staking their tokens.

function deposit(uint256 amount) public {

if (loveToken.balanceOf(address(stakingVault)) == 0)

revert Staking__NoMoreRewards();

// No require needed because of overflow protection

userStakes[msg.sender] += amount;

loveToken.transferFrom(msg.sender, address(this), amount);

emit Deposited(msg.sender, amount);

}

Impact

The lack of validation in the deposit function allows users to deposit tokens without being informed of the unavailability of LoveToken rewards. This could lead to financial losses for users who expect to receive rewards for staking their tokens but end up not receiving any rewards due to the depletion of the reward pool.

Tools Used

Manual code review was conducted to identify the vulnerability in the Staking contract.

Recommendations

Implement a validation check in the deposit function to verify if there are remaining LoveToken rewards in the staking contract vault before allowing users to deposit tokens.
Add a requirement to ensure that users are informed if there are no more rewards available for staking, preventing them from depositing tokens without the expectation of receiving rewards.

/// @notice Function to deposit LoveTokens into the staking contract.

/// @param amount The amount of LoveTokens to deposit.

function deposit(uint256 amount) public {

// Check if there are remaining LoveToken rewards in the staking contract vault

if (loveToken.balanceOf(address(stakingVault)) == 0) {

revert Staking__NoMoreRewards();

}

// Add a requirement to inform users if there are no more rewards available for staking

require(loveToken.balanceOf(address(stakingVault)) > 0, "No more rewards available for staking");

// No require needed because of overflow protection

userStakes[msg.sender] += amount;

loveToken.transferFrom(msg.sender, address(this), amount);

emit Deposited(msg.sender, amount);

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.