Lines of code

Vulnerability details

Impact

In NeoTokyoStaker, BYTES token can be staked into a Citizen. First, the Citizen must be staked, it will be locked for a timelock duration in Staking contract. Staker want to stake BYTES can specify this Citizen ID and stake into it.

However, when users stake into a Citizen, it did not extend the timelock. As the result, attacker can abuse this to manipulate totalPoints, making other stakers receive less rewards.

Proof of Concept

Attacker will stake any Citizen and wait after timelockEndTime to execute the attack. Now consider the scenario when Alice (a normal user) claims her reward

1. Attacker add huge amount of BYTES to his position, effectively increase totalPoints to large value
2. Alice TX is executed. Since totalPoints is manipulate to be larger, Alice’s share gets smaller and Alice receives less reward
3. Attacker remove BYTES that he staked. Note that becasue, timelock duration is not extended when attacker stake BYTES, he can remove it in the same block. So the cost for the attack is just gas cost. The amount of BYTES could be his own funds or flash loan since all the attack is happen in 1 block.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider extending timelock duration when stakers stake BYTES into Citizen.

The text was updated successfully, but these errors were encountered:

All reactions