Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Naresh - Users will not receive the correct reward tokens when MlumStaking is Under-supplied #133

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 1 comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024

Naresh

Medium

Users will not receive the correct reward tokens when MlumStaking is Under-supplied

Summary

The _safeRewardTransfer() function of the MlumStaking contract. When the contract is undersupplied with reward tokens, it can cause the _harvestPosition() function to send fewer tokens than needed or revert subsequent activities. This issue arises because the missing tokens are not accounted for, potentially leading to users not receiving the expected rewards.

Vulnerability Detail

All calculations are rounded down since a lack of reward tokens in the contracts cannot be attributed to rounding errors. Therefore, the rounding function is redundant.

If the contract is undersupplied with reward tokens, the _harvestPosition() function will send fewer tokens than needed or revert all subsequent activities. This is particularly unsafe because the missing tokens are not accounted for. Consequently, a user who creates a staking position might invoke the _safeRewardTransfer() function and not receive the tokens they were supposed to.

   function _safeRewardTransfer(address _to, uint256 _amount) internal {
        uint256 rewardBalance = rewardToken.balanceOf(address(this));

        if (_amount > rewardBalance) {
            _lastRewardBalance = _lastRewardBalance - rewardBalance;
            rewardToken.safeTransfer(_to, rewardBalance);
        } else {
            _lastRewardBalance = _lastRewardBalance - _amount;
            rewardToken.safeTransfer(_to, _amount);
        }
    }

Past Related Issues:

code-423n4/2022-02-concur-findings#244

code-423n4/2022-05-aura-findings#272

Impact

The functions addToPosition, _withdrawFromPosition,_lockPosition, harvestPosition, harvestPositionTo,harvestPositionsTo will not transfer the correct reward tokens when MlumStaking is undersupplied.

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L739-L749

Tool used

Manual Review

Recommendation

To ensure that the _safeRewardTransfer() function only executes when there is a positive reward balance, add the following require statement:

 require(rewardBalance > 0, "_safeRewardTransfer: balance is zero");

Alternatively, use the usual safeTransfer instead of _safeRewardTransfer.

@0xSmartContract
Copy link
Collaborator

The architectural preference of the MlumStaking contract is to send the available reward tokens in cases where there are insufficient reward tokens, as a better method than not sending any reward tokens at all. This preference is based on several important factors:

User Experience
It provides a more positive user experience for users to receive the available reward tokens rather than not receiving any rewards at all. This increases the satisfaction of users by receiving their rewards, even if only partially.

Better Than the Revert Alternative
In case of revert of the contract, all transactions of the users fail and the users do not receive any rewards. This means that the transactions are not completed and the users are disappointed. Incomplete reward sending ensures that the transactions are completed and this situation has a more positive result than reverting.

In addition; The probability of insufficient reward tokens is low. The project usually provides enough reward tokens and ensures that the system works properly. Therefore, the probability of this situation occurring is considered very low.

Incomplete Reward Sending and Monitoring
The lack of tracking of missing rewards can be seen as a weakness in the system. However, this is part of the architectural choice and was considered an acceptable risk for the operation of the project.

@sherlock-admin4 sherlock-admin4 changed the title Crazy Ceramic Huskie - Users will not receive the correct reward tokens when MlumStaking is Under-supplied Naresh - Users will not receive the correct reward tokens when MlumStaking is Under-supplied Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Non-Reward This issue will not receive a payout label Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

3 participants