Lines of code
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L327>
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1519-L1520>
If lastRewardRound >= currentRound, the earningsPool for currentRound may not be initialized if reward() has not yet been called for currentRound. So using it to update cumulative rewards or fees could be incorrect.
This can lead to incorrect reward calculations for delegators. For example, if the cumulativeRewardFactor is 0 when it should be non-zero, delegators will get 0 rewards.
The vulnerability occurs in pendingStakeAndFees() when _endRound = currentRound and lastRewardRound >= currentRound.
In this case, endEarningsPool will not be initialized because lastRewardRound >= currentRound. But then endEarningsPool is still used to calculate cumulative factors, even though it was never initialized. This could lead to using uninitialized (zero) cumulative factor values and incorrect reward calculations.
A proof of concept:
Manual
A check in pendingStakeAndFees() to initialize endEarningsPool if lastRewardRound >= _endRound
Other
The text was updated successfully, but these errors were encountered:
All reactions