it's possible to initialize contract BkdLocker for multiple times by sending startBoost=0 and each time different values for other parameters #136
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/BkdLocker.sol#L53-L64
Vulnerability details
Impact
function
initialize()
ofBkdLocker
suppose to be called one time and contract initialize one time. but if it's called bystartBoost=0
then it's possible to call it again with different values for other parameters. there are some logics based on the values functioninitilize()
sets which is in calculating boost and withdraw delay. by initializing multiple times different users get different values for those logics and because rewards are distributed based on boosts so those logics will be wrong too.Proof of Concept
This is
initiliaze()
code inBkdLocker
:As you can see it checks the initialization statue by
currentUInts256[_START_BOOST]
's value but it's not correct way to do and initializer can setcurrentUInts256[_START_BOOST]
value as0
and set other parameters values and call this function multiple times with different values for_MAX_BOOST
and_INCREASE_PERIOD
and_WITHDRAW_DELAY
. setting different values for those parameters can cause different calculation incomputeNewBoost()
andprepareUnlock()
. functioncomputeNewBoost()
is used to calculate users boost parameters which is used on reward distribution. so by changing_MAX_BOOST
the rewards will be distributed wrongly between old users and new users.Tools Used
VIM
Recommended Mitigation Steps
add some other variable to check the status of initialization of contract.
The text was updated successfully, but these errors were encountered: