Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-LIVEPEER-FINDINGS-ISSUES-157
HistorySep 06, 2023 - 12:00 a.m.

lastFeeRound is only updated after adding fees and updating the cumulative fee factor. So when first calling updateTranscoderWithFees() in a new round, lastFeeRound will still be set to the previous round.

2023-09-0600:00:00
Code4rena
github.com
3
incorrect fee calculations
delegators
earnings
JSON

Lines of code
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1215-L1217&gt;
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1276&gt;

Vulnerability details

Impact

This could lead to incorrect fee calculations for delegators when claiming fees or pending fees.
First time earnings are calculated in the new round, they will use the old cumulative fee factor rather than starting from 0 as intended. This effectively pays out some fees twice to delegators.

Proof of Concept

True, this is a potential issue in the code.
The key parts are:

  1. lastFeeRound is only updated when fees are added in updateTranscoderWithFees():<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L384&gt;
  2. latestCumulativeFactorsPool() uses lastFeeRound to determine which cumulative fee factor to return:<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1215-L1217&gt;
  3. delegatorCumulativeStakeAndFees() uses the cumulative factors returned by latestCumulativeFactorsPool() to calculate earnings:<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/BondingManager.sol#L1276&gt;
    So when updateTranscoderWithFees() is first called in a new round, lastFeeRound will still be the previous round. This means latestCumulativeFactorsPool() will return the fee factor for the previous round, not the current round.

Tools Used

Manual

Recommended Mitigation Steps

lastFeeRound couuld be reset to 0 in reward() along with the other earnings tracking fields like cumulativeFees. This would ensure it starts fresh in each new round.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON