search
Active Boosts

57482 sc critical front running a donation can inflate the share causing users to lose funds

Submitted on Oct 26th 2025 at 15:38:40 UTC by @ox9527 for Audit Comp | Belongarrow-up-right

  • Report ID: #57482

  • Report Type: Smart Contract

  • Report severity: Critical

  • Target: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/Staking.sol

  • Impacts:

    • Permanent freezing of funds

triangle-exclamation

Critical: Front-running a donation and direct token transfers to the staking contract can permanently inflate shares and cause subsequent users to receive zero shares for their deposits, resulting in loss of funds.

hashtag
Description

hashtag
Brief / Intro

In Staking.sol::deposit(), a minimum deposit amount is enforced. An attacker can front-run by depositing just 1 wei into the staking contract and then transferring additional LONG tokens directly to it.

This manipulates the share calculation, leading to share inflation, which causes subsequent users to receive zero shares for their deposits and ultimately suffer a loss of funds.

hashtag
Vulnerability Details

In Staking.sol::deposit() the contract calls:

function _deposit(address by, address to, uint256 assets, uint256 shares) internal override {
    super._deposit(by, to, assets, shares); <@
    // lock freshly minted shares
    stakes[to].push(Stake({shares: shares, timestamp: block.timestamp})); 
}

The sequence allows an attacker to create a situation where the contract's token balance increases (via direct token transfer / "donation") after a minimal deposit, inflating the assets-versus-shares ratio and causing following deposits to mint zero shares.

hashtag
Impact Details

  • Subsequent users can receive zero shares for their deposits.

  • Funds may become effectively frozen or lost for honest users who can no longer obtain shares proportional to their deposits.

hashtag
Exploit steps

1

hashtag
Step: Attacker makes a minimal deposit

Attacker deposits the minimum enforced amount (e.g., 1 wei) via deposit() so they receive shares.

2

hashtag
Step: Attacker donates additional tokens directly

Attacker transfers additional LONG tokens directly to the staking contract (not via deposit()), increasing the contract's token balance without minting shares.

3

hashtag
Step: Share calculation is skewed

Because the contract's asset balance increases while total shares remain nearly unchanged, the assets-per-share ratio inflates. Subsequent deposit calls compute shares using the new (inflated) ratio and may mint zero shares for honest users.

hashtag
Proof of Concept

chevron-rightSolidity Forge test PoC (expand to view)hashtag

hashtag
References

  • Target contract: https://github.com/immunefi-team/audit-comp-belong/blob/main/contracts/v2/periphery/Staking.sol

(End of report)

Previous57712 sc medium receiver deployment dos via salt reuseNext57426 sc medium dynamic price signature replay allows unlimited minting at historical prices

Was this helpful?