Lock.sol::totalLocked public variable is not updated in the Lock.sol::extendLock() function. #264
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-23
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L19
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/Lock.sol#L84
Vulnerability details
Impact
The extendLock() function helps to change the BondNFT lock parameters (amount, period). The problem is
totalLocked
is not increased.The
totalLocked
is a public variable, so there may be wrong information for those who consult that specific information:Proof of Concept
I created this test in
test/09.Bond.js
where you can see the extendLock() does not increase thetotalLocked
variable::Tools used
VsCode/Hardhat
Recommended Mitigation Steps
Add the
totalLocked
incremention in theLock.sol::extendLock()
functionThe text was updated successfully, but these errors were encountered: