Lines of code

Vulnerability details

Impact

When adding new token pool for staking in MasterChef contract

function add(address _token, uint _allocationPoints, uint16 _depositFee, uint _startBlock)

All other, already added, pools should be updated but currently they are not.
Instead, only totalPoints is updated. Therefore, old and not updated pools will lose it’s share during the next update.
Therefore, user rewards are not computed correctly (will be always smaller).

Proof of Concept

Scenario:

1. Owner adds new pool (first pool) for staking with points = 100 (totalPoints=100).
2. 1 block later Alice, Bob and Charlie stake 10 tokens there (at the same time).
3. 1 week passes
4. Owner adds new pool (second pool) for staking with points = 400 (totalPoints=500)
5. Right after that, when Alice, Bob or Charlie wants to withdraw tokens and claim rewards they will only be able to claim 20% of what they should, because their pool is updated with 20% (100/500) rewards instead of 100% (100/100) rewards for the past week.

Tools Used

Manual review

Recommended Mitigation Steps

Update all existing pools before adding new pool. Use the massUdpate() function which is already present … but unused.

The text was updated successfully, but these errors were encountered:

All reactions