Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-MUTE-FINDINGS-ISSUES-48
HistoryApr 04, 2023 - 12:00 a.m.

Upgraded Q -> 2 from #17 [1680620822176]

2023-04-0400:00:00
Code4rena
github.com
3
security risk
mutebond
muteamplifier
staked funds
rewards
dos attack
code changes
JSON

Judge has assessed an item in Issue #17 as 2 risk. The relevant finding follows:

[L-10] It is possible in theory that stakes get locked due to call to LockTo with very small reward amount
I pointed out and explained in my report #7 MuteBond.sol: deposit function reverts if remaining payout is very small due to >0 check in dMute.LockTo function how the MuteBond.LockTo function reverts when it is called with an amount <= 52 Wei.

While in the MuteBond contract an attacker can actively make this situation occur and cause a temporary DOS, this is not possible in the MuteAmplifier contract.

The MuteAmplifier contract makes two calls to MuteBond.LockTo:

Link

if (reward > 0) {
uint256 week_time = 60 * 60 * 24 * 7;
IDMute(dToken).LockTo(reward, week_time ,msg.sender);

userClaimedRewards[msg.sender] = userClaimedRewards[msg.sender].add(
    reward
);
totalClaimedRewards = totalClaimedRewards.add(reward);


emit Payout(msg.sender, reward, remainder);

}
Link

if (reward > 0) {
uint256 week_time = 1 weeks;
IDMute(dToken).LockTo(reward, week_time ,msg.sender);

userClaimedRewards[msg.sender] = userClaimedRewards[msg.sender].add(
    reward
);
totalClaimedRewards = totalClaimedRewards.add(reward);

}
In theory there exists the possibility that the rewards that are paid out to a user are > 0 Wei and <= 52 Wei.

If at the endTime this is the case, the rewards will not increase anymore, making it impossible for the staker to withdraw his staked funds, which results in a complete loss of funds.

However with any reasonable value of totalRewards this is not going to occur. Actually it’s a real challenge to make the contract output a reward of > 0 Wei and <= 52 Wei.

It might be beneficial to implement the following changes just to be safe:

diff --git a/contracts/amplifier/MuteAmplifier.sol b/contracts/amplifier/MuteAmplifier.sol
index 9c6fcb5…37adc7f 100644
-– a/contracts/amplifier/MuteAmplifier.sol
+++ b/contracts/amplifier/MuteAmplifier.sol
@@ -242,7 +242,7 @@ contract MuteAmplifier is Ownable{
IERC20(muteToken).transfer(treasury, remainder);
}
// payout rewards

  •    if (reward &gt; 0) {

  •    if (reward &gt; 52) {
   uint256 week_time = 60 * 60 * 24 * 7;
   IDMute(dToken).LockTo(reward, week_time ,msg.sender);

@@ -284,7 +284,7 @@ contract MuteAmplifier is Ownable{
IERC20(muteToken).transfer(treasury, remainder);
}
// payout rewards

  •    if (reward &gt; 0) {

  •    if (reward &gt; 52) {
   uint256 week_time = 1 weeks;
   IDMute(dToken).LockTo(reward, week_time ,msg.sender);

In case rewards are <= 52 Wei they will be lost. But they are worthless anyway.

The text was updated successfully, but these errors were encountered:

All reactions

JSON