OTSea Staking - lost 26k due to a logic flaw in their contract
What happened Staking contract, OTSeaStaking, hacked and lost 26k. Hacker exploited the contract’s logic flaw, which allowed him/her to call “withdraw” many times and got a lot more tokens than he staked. The problem In line 396 of OTSeaStaking.sol, you can see that deposit.amount is not handled properly (not decreased); therefore, one can deposit once and withdraw multiple times. PoC The PoC of this incident I wrote can be found here Reference transaction hash https://nickfranklin.site/2024/09/13/otsea-staking-hacked/