You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
increaseLock() should read userDeposit[_receiver] instead of depositsOf[_msgSender()]
Summary
TimeLockPool.sol#L203 should read depositsOf[_receiver][_depositId] as userDeposit.
Vulnerability Detail
TimeLockPool.sol#L230 in increaseLock() is loading depositsOf[_msgSender()][_depositId] as userDeposit, which will later be used to check if the deposit has expired (L206-208) and calculating the remainingDuration (L213).
This remainingDuration will be used to calculate the multiplier for the mintAmount at L215.
Impact
As a result, the _receiver can receive a much larger shares.
For example, if the receiver only has 10 mins left in depositsOf[_receiver][_depositId], but depositsOf[_msgSender()][_depositId] have 4 years left. The mintAmount will be 5x than expected.
Or fewer shares than expected when the caller's deposit's remainingDuration is shorter than the receiver's.
WATCHPUG
high
increaseLock()
should readuserDeposit[_receiver]
instead ofdepositsOf[_msgSender()]
Summary
TimeLockPool.sol#L203
should readdepositsOf[_receiver][_depositId]
asuserDeposit
.Vulnerability Detail
TimeLockPool.sol#L230
inincreaseLock()
is loadingdepositsOf[_msgSender()][_depositId]
asuserDeposit
, which will later be used to check if the deposit has expired (L206-208) and calculating theremainingDuration
(L213).This
remainingDuration
will be used to calculate the multiplier for themintAmount
at L215.Impact
As a result, the
_receiver
can receive a much larger shares.For example, if the receiver only has 10 mins left in
depositsOf[_receiver][_depositId]
, butdepositsOf[_msgSender()][_depositId]
have 4 years left. ThemintAmount
will be 5x than expected.Or fewer shares than expected when the caller's deposit's
remainingDuration
is shorter than the receiver's.Code Snippet
https://github.com/sherlock-audit/2022-10-merit-circle/blob/main/merit-liquidity-mining/contracts/TimeLockPool.sol#L197-L222
Tool used
Manual Review
Recommendation
Change L203 to:
The text was updated successfully, but these errors were encountered: