2 matches found
An attacker can manipulate the total active stake before calling reward() to get more rewards
Lines of code Vulnerability details Impact Attackers could drain rewards meant for other transcoders. Proof of Concept The key vulnerable code is in the reward function: This uses the transcoder's total stake earningsPool.totalStake and the total active stake currentRoundTotalActiveStake to...
DoS and stealing users' USDC
Handle OriDabush Vulnerability details Sherlock.sol An attacker can DoS the system and steal user's USDC if he manages to stake his USDC first i.e. minting token ID 1. It can be done by calling the initialStake with every amount let's say amount = 1 for example. Let's assume the lock period is...