This repository has been archived by the owner on May 26, 2023. It is now read-only.
WATCHPUG - increaseLock() should read userDeposit[_receiver] instead of depositsOf[_msgSender()]
#102
Comments
This was referenced Oct 14, 2022
|
Agree on the recommendation, thanks! |
|
PR from this issue |
|
Fix confirmed |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
WATCHPUG
high
increaseLock()should readuserDeposit[_receiver]instead ofdepositsOf[_msgSender()]Summary
TimeLockPool.sol#L203should readdepositsOf[_receiver][_depositId]asuserDeposit.Vulnerability Detail
TimeLockPool.sol#L230inincreaseLock()is loadingdepositsOf[_msgSender()][_depositId]asuserDeposit, which will later be used to check if the deposit has expired (L206-208) and calculating theremainingDuration(L213).This
remainingDurationwill be used to calculate the multiplier for themintAmountat L215.Impact
As a result, the
_receivercan receive a much larger shares.For example, if the receiver only has 10 mins left in
depositsOf[_receiver][_depositId], butdepositsOf[_msgSender()][_depositId]have 4 years left. ThemintAmountwill be 5x than expected.Or fewer shares than expected when the caller's deposit's
remainingDurationis shorter than the receiver's.Code Snippet
https://github.com/sherlock-audit/2022-10-merit-circle/blob/main/merit-liquidity-mining/contracts/TimeLockPool.sol#L197-L222
Tool used
Manual Review
Recommendation
Change L203 to:
The text was updated successfully, but these errors were encountered: