Lock: extendLock() did not update totalLocked, thus preventing the user from withdrawing the asset #330
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-23
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Lock.sol#L84-L92
Vulnerability details
Impact
When the user deposits assets into the Lock, in lock(), totalLocked is correctly updated.
But this is not done in extendLock which makes totalLocked incorrect.
This will cause the release function to overflow when calculating totalLocked, thus preventing the user from withdrawing the asset
Consider the following scenario:
User A calls Lock.lock to deposit 100 tokens for one month, where totalLocked = 100.
And then calls Lock.extendLock to deposit 100 tokens again, where totalLocked == 100 since Lock.extendLock does not update totalLocked.
After one month, user A calls Lock.release to withdraw the tokens, because lockAmount == 200, totalLocked - lockAmount overflows and the function fails, thus the tokens cannot be withdrawn
Proof of Concept
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Lock.sol#L84-L92
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/Lock.sol#L98-L105
Tools Used
None
Recommended Mitigation Steps
function extendLock( uint _id, uint _amount, uint _period ) public { address _asset = claim(_id); IERC20(_asset).transferFrom(msg.sender, address(this), _amount); + totalLocked[_asset] += _amount; bondNFT.extendLock(_id, _asset, _amount, _period, msg.sender); }
The text was updated successfully, but these errors were encountered: