Lines of code

Vulnerability details

Impact

In function _withdrawLP(), it calculates the amount of points from the amount input parameter.

unchecked {
  uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR;

  // Update the caller's LP token stake.
  lpPosition.amount -= amount;
  lpPosition.points -= points;

  // Update the pool point weights for rewards.
  pool.totalPoints -= points;
}

However, because of rounding down in calculation, the attacker can withdraw all amount without removing any points. As a result, an attacker’s LP position can have points > 0 even though amount = 0, which means attackers still receive rewards without depositing anything.

Proof of Concept

Consider the scenario

1. Alice (attacker) deposits 1e18 LP token to NeoTokyoStaker. Let’s just assume multiplier = 10000. Alice will receive the amount of

points = amount * 100 / 1e18 * multiplier / _DIVISOR;
  = 1e18 * 100 / 1e18 * 10000 / 100
  = 10000

2. Alice withdraws 1e16 - 1 wei LP token. The amount of points will be deducted is

points = amount * 100 / 1e18 * multiplier / _DIVISOR;
  = (1e16 - 1) * 100 / 1e18 * 10000 / 100
  = 0

3. As we can see, Alice successfully withdraws 1e16 - 1 wei LP token without losing any points. Alice can repeat step 2 as many times as she wants and then create a position with large points without any LP tokens.
4. In this example, she can repeat 100 times (can be done by deploying a contract to do the for loop) to withdraw all and then repeat from step 1. For each time, she will get 10000 points.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider adding PRECISION (e.g: 1e18) when calculating points from amount in LP pool. Also consider doing all multiplication before division to avoid precision loss.

---

The text was updated successfully, but these errors were encountered:

All reactions