In StakingRewards.sol L242, the withdraw() function does not check how much a user's balance of LP tokens comes from the locked portion of stakes, and thus may allow a user to withdraw from their locked balance. When doing so, it subtracts the non-boosted amount from _boosted_balances instead of the boosted, locked amount, and thus allows for people to manipulate their balance in the StakingRewards contract.
This bug has been reported by @samczsun.
Link to bug:
|
_staking_token_boosted_supply = _staking_token_boosted_supply.sub(amount); |
In StakingRewards.sol L242, the
withdraw()function does not check how much a user's balance of LP tokens comes from the locked portion of stakes, and thus may allow a user to withdraw from their locked balance. When doing so, it subtracts the non-boosted amount from_boosted_balancesinstead of the boosted, locked amount, and thus allows for people to manipulate their balance in the StakingRewards contract.This bug has been reported by @samczsun.
Link to bug:
frax-solidity/contracts/Staking/StakingRewards.sol
Line 242 in 889b310