Infinity NFT Marketplace contest - auditor0517's results

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L116-L131 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L290-L325

Vulnerability details

Impact

Users could lose an unvested amount permanently after InfinityStaker.unstake().

Proof of Concept

It's because the timestamp of lower duration would be larger than the one of higher duration. So vested amount of higher duration would be positive when vested amount of lower duration is 0.

1. Stake amount 1 for SIX_MONTHS duration.
2. 6 months later, stake another amount 1 for THREE_MONTHS duration.
3. 1 day later, try to unstake amount 1.
4. unstake will work without reverts because the vested amount of SIX_MONTHS is 1. But it will clear the staked amount of THREE_MONTHS also from L302-L304.

Tools Used

Manual Review

Recommended Mitigation Steps

The vested amount is 0 or staked amount whether it meets timestamp requirement or not. So you can check if the vested amount is greater than 0 before clear staked amount.

if (amount > noVesting) {
  userstakedAmounts[user][Duration.NONE].amount = 0;
  userstakedAmounts[user][Duration.NONE].timestamp = 0;
  amount = amount - noVesting;
  if (amount > vestedThreeMonths) {
    if(vestedThreeMonths != 0) { //new condition
      userstakedAmounts[user][Duration.THREE_MONTHS].amount = 0;
      userstakedAmounts[user][Duration.THREE_MONTHS].timestamp = 0;
      amount = amount - vestedThreeMonths;
    }
    if (amount > vestedSixMonths) {
      if(vestedSixMonths != 0) {  //new condition
        userstakedAmounts[user][Duration.SIX_MONTHS].amount = 0;
        userstakedAmounts[user][Duration.SIX_MONTHS].timestamp = 0;
        amount = amount - vestedSixMonths;
      }
      if (amount > vestedTwelveMonths) {
        if(vestedTwelveMonths != 0)  //new condition
        {
          userstakedAmounts[user][Duration.TWELVE_MONTHS].amount = 0;
          userstakedAmounts[user][Duration.TWELVE_MONTHS].timestamp = 0;
        }
      } else {
        userstakedAmounts[user][Duration.TWELVE_MONTHS].amount -= amount;
      }
    } else {
      userstakedAmounts[user][Duration.SIX_MONTHS].amount -= amount;
    }
  } else {
    userstakedAmounts[user][Duration.THREE_MONTHS].amount -= amount;
  }
} else {
  userstakedAmounts[user][Duration.NONE].amount -= amount;
}