Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HaxSecurity - Precision loss when calculating rewardData.rate #13

Closed
sherlock-admin2 opened this issue Jul 25, 2024 · 0 comments
Closed

HaxSecurity - Precision loss when calculating rewardData.rate #13

sherlock-admin2 opened this issue Jul 25, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jul 25, 2024
edited
Loading

HaxSecurity

Medium

Precision loss when calculating rewardData.rate

Summary

Precision loss when calculating rewardData.rate

Root Cause

In function below precision loss can occur:

https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L213

  function notifyRewardAmount(IERC20 reward, uint256 amount, address notifier) internal onlyReward(reward) {
    updateIndex(reward);
    RewardData storage rewardData = rewards[reward];
    if (block.timestamp >= rewardData.finishAt) {
      rewardData.rate = amount / rewardData.duration;
    }

Let's suppose rewardData.duration is 1 week = 604800 seconds. When notifyRewardAmount is called If reward token is WBTC which has 8 decimals, up to 604799 / 1e8 WBTC can be lost (as if the amount was 604799 less). 604799 / 1e8 WBTC = 0.006 WBTC = 400 USD lost to precision loss. This 400 USD then cannot be distributed to stakers.

Internal pre-conditions

WBTC used

External pre-conditions

n/a

Attack Path

n/a

Impact

Precision loss of 400 USDC

PoC

No response

Mitigation

Store the rewardRate scaled by 1e18, so loss of precision will be lower by magnitude of 1e18.

Duplicate of #96
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Jul 28, 2024
@sherlock-admin2 sherlock-admin2 changed the title Shambolic Iron Shetland - Precision loss when calculating rewardData.rate HaxSecurity - Precision loss when calculating rewardData.rate Aug 9, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2