Submission Details
Severity:
Divorced users can claim staking rewards
Summary
The Staking contract allows a divorced users to claim staking rewards.
Vulnerability Details
The claimRewards() function in Staking.sol does not check if a user is divorced, so he can claim rewards, which is incorrect
function testClaimRewardsDivorced() public {
_mintOneTokenForBothSoulmates();
// Deposit and claim
vm.startPrank(soulmate1);
vm.warp(block.timestamp + 10 days);
airdropContract.claim();
uint256 initialBalance = loveToken.balanceOf(soulmate1);
loveToken.approve(address(stakingContract), initialBalance);
stakingContract.deposit(loveToken.balanceOf(soulmate1));
// Get divorced
soulmateContract.getDivorced();
vm.warp(block.timestamp + 10 days);
initialBalance = loveToken.balanceOf(soulmate1);
stakingContract.claimRewards();
// Compare balances
console2.log("initialBalance", initialBalance);
console2.log("balance", loveToken.balanceOf(soulmate1));
}
Impact
Divorced users can steal tokens from the staking vault.
Tools Used
Foundry, Manual review
Recommendations
Add a divorced check in Staking:claimRewards()
+error Staking__CoupleIsDivorced();
function claimRewards() public {
+ if (soulmateContract.isDivorced(msg.sender)) revert Staking__CoupleIsDivorced();
uint256 soulmateId = soulmateContract.ownerToId(msg.sender);
// first claim
if (lastClaim[msg.sender] == 0) {
lastClaim[msg.sender] = soulmateContract.idToCreationTimestamp(
soulmateId
);
}
Updates
Lead Judging Commences
0xnevi over 1 year ago
Submission Judgement Published Assigned finding tags:
finding-isDivorced-wrong-check
Rewards breakdown
nSLOC
233This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.