Handle

hickuphh3

Vulnerability details

Impact

If the owner would like to remove rewards, the number of epochs affected could potentially be 1 less because solidity division rounds down, resulting in more rewards taken out than allowed.

Proof of Concept

Assume

• currentEpoch is 1000
• end epoch is 2000
• 1 CQT per epoch reward emission: allocatedTokensPerEpoch = 1e18

There is therefore (2000 - 1000) * 1 CQT = 1000 CQT remaining to be distributed.

If the owner removes 99.99 CQT = 99.99 * 1e18 = 9999 * 1e16,

• epochs = (9999 * 1e16) / 1e18 = 99
• new end epoch = 2000 - 99 = 1901

However, the number of remaining rewards is 1000 - 99.99 = 900.01 is only able to cover for 900 epochs, which is 1 less than the calculated end epoch of 1901.

Recommended Mitigation Steps

Use OpenZeppelin’s ceilDiv() for the epoch calculation.

uint128 epochs = uint128(Math.ceilDiv(amount, allocatedTokensPerEpoch));

The text was updated successfully, but these errors were encountered:

All reactions