Lines of code
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1215-L1217>
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1276>
Vulnerability details
Impact
This could lead to incorrect fee calculations for delegators when claiming fees or pending fees.
First time earnings are calculated in the new round, they will use the old cumulative fee factor rather than starting from 0 as intended. This effectively pays out some fees twice to delegators.
Proof of Concept
True, this is a potential issue in the code.
The key parts are:
- lastFeeRound is only updated when fees are added in updateTranscoderWithFees():<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L384>
- latestCumulativeFactorsPool() uses lastFeeRound to determine which cumulative fee factor to return:<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1215-L1217>
- delegatorCumulativeStakeAndFees() uses the cumulative factors returned by latestCumulativeFactorsPool() to calculate earnings:<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1276>
So when updateTranscoderWithFees() is first called in a new round, lastFeeRound will still be the previous round. This means latestCumulativeFactorsPool() will return the fee factor for the previous round, not the current round.
Tools Used
Manual
Recommended Mitigation Steps
lastFeeRound couuld be reset to 0 in reward() along with the other earnings tracking fields like cumulativeFees. This would ensure it starts fresh in each new round.
Assessed type
Other
The text was updated successfully, but these errors were encountered:
All reactions