Soulmate waiting to reunite can claim an abnormal amount of LoveTokens as staked rewards in StakingVault
Summary
Soulmate waiting to reunite can get an unexpectedly high amount of LoveTokens as staking rewards. As the idToCreationTimestamp of the token has not been set yet, it equals zero, the calculation of the period for the stake is then too high, and the reward is miscalculated.
Vulnerability Details
The attacker calls mintSoulmateToken() after the emission of SoulmateAreReunited (so that he is the first in the couple)
the attacker then deposit a certain quantity (X) of LoveToken in the staking contract (that he got from any way)
The attacker then can claim staking rewards:
As the soulmateContract.idToCreationTimestamp(soulmateId) is not set up yet, this will be equal to 0
timeInWeeksSinceLastClaim is then equal to "(block.timestamp - 0 ) / 1 weeks" ( approx equals to 2823)
Then the uint256 amountToClaim = userStakes[msg.sender] * timeInWeeksSinceLastClaim; is very high, resulting in
to be a lot higher than expected (X * 2823)
Impact
Users can be rewarded a overevaluated amount of tokens.
Tools Used
Manual review
Recommendations
Check if msg.sender has a soulmate
Lead Judging Commences
finding-claimRewards-nft-0-lastClaim
High severity, as it allows any pending user to claim staking rewards without owning a soulmate NFT by - Obtaining love tokens on secondary markets - Transfer previously accrued love tokens via airdrops/rewards to another account and abusing the `deposit()` function
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.