You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
Loss of rewards due to rounding when the reward token has low decimals (wbtc)
Summary
The precision loss in notifyRewardAmount will cause a partial loss of rewards when the reward token has low decimals (wbtc).
Root Cause
In StakedEXA.sol:213 there is a precision loss that will cause a partial loss of rewards for stakers when the reward tokens have low decimals (e.g. wbtc).
The providerAsset must be a low-decimal token like wbtc. We must consider that the deployed protocol has a market for wbtc so it's plausible that this token can be used to distribute rewards within the StakedEXA contract.
External pre-conditions
None
Attack Path
For this example, we will assume that the duration of the rewards distribution is 4 weeks, and the providerAsset is wbtc (values from the deployment script).
Any user calls deposit or mint to stake some EXA tokens.
The deposit or mint function calls the internal _update function before minting the actual shares.
The _update function calls harvest to distribute the dividends from the provider market.
The harvest function calls notifyRewardAmount with an amount of 0.0483 wbtc (valued at ~$3000 at the time of writing).
The function notifyRewardAmount divides the amount by the duration, causing a partial loss of rewards due to the precision loss:
After the transaction has been executed, the resulting distribution rate is 1, but some tokens won't get distributed due to the precision loss. Specifically, ~0.025 wbtc (~$1500) will be stuck in the contract and won't get distributed as rewards for the stakers.
Impact
The stakers can suffer up to a 50% loss of rewards when the provider asset has low decimals like wbtc.
PoC
No response
Mitigation
To mitigate this issue, it is recommended to add a new state variable (minRewardsToDistribute) that determines which is the minimum amount of rewards that must be accrued from the Market to distribute them between all stakers:
sherlock-admin2
changed the title
Fit Boysenberry Stallion - Loss of rewards due to rounding when the reward token has low decimals (wbtc)
santipu_ - Loss of rewards due to rounding when the reward token has low decimals (wbtc)
Aug 9, 2024
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA Medium severity issue.RewardA payout will be made for this issue
santipu_
Medium
Loss of rewards due to rounding when the reward token has low decimals (wbtc)
Summary
The precision loss in
notifyRewardAmount
will cause a partial loss of rewards when the reward token has low decimals (wbtc
).Root Cause
In
StakedEXA.sol:213
there is a precision loss that will cause a partial loss of rewards for stakers when the reward tokens have low decimals (e.g.wbtc
).https://github.com/sherlock-audit/2024-07-exactly-stacking-contracts/blob/main/protocol/contracts/StakedEXA.sol#L213
Internal pre-conditions
providerAsset
must be a low-decimal token likewbtc
. We must consider that the deployed protocol has a market forwbtc
so it's plausible that this token can be used to distribute rewards within theStakedEXA
contract.External pre-conditions
None
Attack Path
For this example, we will assume that the duration of the rewards distribution is 4 weeks, and the
providerAsset
iswbtc
(values from the deployment script).deposit
ormint
to stake some EXA tokens.deposit
ormint
function calls the internal_update
function before minting the actual shares._update
function callsharvest
to distribute the dividends from the provider market.harvest
function callsnotifyRewardAmount
with an amount of 0.0483wbtc
(valued at ~$3000 at the time of writing).notifyRewardAmount
divides the amount by the duration, causing a partial loss of rewards due to the precision loss:After the transaction has been executed, the resulting distribution rate is 1, but some tokens won't get distributed due to the precision loss. Specifically,
~0.025 wbtc
(~$1500) will be stuck in the contract and won't get distributed as rewards for the stakers.Impact
The stakers can suffer up to a 50% loss of rewards when the provider asset has low decimals like
wbtc
.PoC
No response
Mitigation
To mitigate this issue, it is recommended to add a new state variable (
minRewardsToDistribute
) that determines which is the minimum amount of rewards that must be accrued from the Market to distribute them between all stakers:function notifyRewardAmount(IERC20 reward, uint256 amount, address notifier) internal onlyReward(reward) { updateIndex(reward); + if(amount < minRewardsToDistribute) return; // ... }
Duplicate of #96
The text was updated successfully, but these errors were encountered: