Back to gajiknownnothing's contests

Munchables - gajiknownnothing's results

A web3 point farming game in which Keepers nurture creatures to help them evolve, deploying strategies to earn them rewards in competition with other players.

General Information

Platform: Code4rena

Start Date: 22/05/2024

Pot Size: $20,000 USDC

Total HM: 6

Participants: 126

Period: 5 days

Judge: 0xsomeone

Total Solo HM: 1

Id: 379

League: ETH

Munchables

Findings Distribution

Researcher Performance

Rank: 85/126

Findings: 1

Award: $0.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryMunchables

Findings Information

🌟 Selected for report: SpicyMeatball

Also found by: 0rpse, 0xMosh, 0xblack_bird, 0xdice91, 0xhacksmithh, 0xleadwizard, 0xmystery, Audinarey, AvantGard, Bigsam, Dots, EPSec, Eeyore, Janio, Limbooo, LinKenji, Mahmud, MrPotatoMagic, Myd, Oxsadeeq, Sabit, SovaSlava, Stefanov, Tychai0s, Utsav, Varun_05, Walter, adam-idarrha, ahmedaghadi, araj, aslanbek, ayden, bigtone, c0pp3rscr3w3r, carrotsmuggler, crypticdefense, dhank, fyamf, gajiknownnothing, gavfu, itsabinashb, jasonxiale, joaovwfreire, ke1caM, leegh, merlinboii, mitko1111, n4nika, pfapostol, prapandey031, rouhsamad, sandy, snakeeaterr, stakog, steadyman, swizz, tedox, th3l1ghtd3m0n, trachev, turvy_fuzz, xyz, yashgoel72, zhaojohnson

Awards

0.014 USDC - $0.01

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
:robot:_03_group
duplicate-7

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L256-L261

Vulnerability details

Impact

The setLockDuration() function allows users to change the lock duration of their tokens. However, due to a flawed check, users can set a new lock duration that is shorter than the original, effectively reducing their lock time.

Proof of Concept

When users lock tokens, the unlock time is set as block.timestamp + _lockDuration, _lock()#L382:

        lockedToken.unlockTime =
            uint32(block.timestamp) +
            uint32(_lockDuration);

The intended purpose is to prevent users from unlocking tokens before the specified unlock time. However, the check in setLockDuration() permits users to set a new duration that shortens the lock period, setLockDuration()#256:

                if (
                    uint32(block.timestamp) + uint32(_duration) <
                    lockedTokens[msg.sender][tokenContract].unlockTime
                ) {
                    revert LockDurationReducedError();
                }

                uint32 lastLockTime = lockedTokens[msg.sender][tokenContract]
                    .lastLockTime;
                lockedTokens[msg.sender][tokenContract].unlockTime =
                    lastLockTime +
                    uint32(_duration);

This allows users to effectively bypass the lock period restriction. For example, if Alice locks tokens for 7 days and then, after 4 days, changes the lock duration to 3 days, the check will pass and Alice can unlock her tokens earlier than intended.

Tools Used

vscode

                if (
                    lockedTokens[msg.sender][tokenContract].lastLockTime + uint32(_duration) <=
                    lockedTokens[msg.sender][tokenContract].unlockTime
                ) {
                    revert LockDurationReducedError();
                }

Assessed type

Invalid Validation

#0 - c4-judge

2024-06-04T12:40:54Z

alex-ppg marked the issue as duplicate of #89

#1 - c4-judge

2024-06-05T12:53:46Z

alex-ppg marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter