In function _withdrawLP(), it calculates the amount of points from the amount input parameter.
unchecked {
uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR;
// Update the caller's LP token stake.
lpPosition.amount -= amount;
lpPosition.points -= points;
// Update the pool point weights for rewards.
pool.totalPoints -= points;
}
However, because of rounding down in calculation, the attacker can withdraw all amount without removing any points. As a result, an attackerβs LP position can have points > 0 even though amount = 0, which means attackers still receive rewards without depositing anything.
Consider the scenario
points = amount * 100 / 1e18 * multiplier / _DIVISOR;
= 1e18 * 100 / 1e18 * 10000 / 100
= 10000
points = amount * 100 / 1e18 * multiplier / _DIVISOR;
= (1e16 - 1) * 100 / 1e18 * 10000 / 100
= 0
Manual Review
Consider adding PRECISION (e.g: 1e18) when calculating points from amount in LP pool. Also consider doing all multiplication before division to avoid precision loss.
The text was updated successfully, but these errors were encountered:
All reactions