Lack of check zero-value transfers in the `StakingPool::donateTokens` wich will cause confusion and undesirable behaviour.
Relevant GitHub Links
Summary
User can donate zero token and unnecessary Updates totalStaked.
Vulnerability Details
The StakingPool::donateTokens function allows a user to make a donation to the pool, however if the donation token amount is zero (0); no tokens will be deposited in the pool, it will not receive any funds but the totalStaked storage variable will be updated and the DonateTokens event will be emitted insinuating that a donation has been made even though in reality no donation has been made:
Impact
Several undesirable impacts:
- Misleading Events: Emitting an event for a zero token donation could confuse users who see a log indicating they donated tokens, even though no actual donation took place.
- Unnecessary Updates to totalStaked: Incrementing totalStaked by zero does not change its value but may still trigger state changes and additional gas costs.
- Wasted Gas: A token transfer for zero value still incurs gas costs, even though no tokens are actually transferred.
Tools Used
Manual review.
Recommendations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.