Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-LIVEPEER-FINDINGS-ISSUES-219
HistorySep 06, 2023 - 12:00 a.m.

Initialization Issue in EarningsPoolL

2023-09-0600:00:00
Code4rena
github.com
5
vulnerability
impact
scenario
mitigation
earningspooll
JSON

Lines of code
<https://github.com/code-423n4/2023-08-livepeer/blob/a3d801fa4690119b6f96aeb5508e58d752bda5bc/contracts/bonding/libraries/EarningsPoolLIP36.sol#L59&gt;

Vulnerability details

Impact

the vulnerable part in code :

uint256 prevCumulativeRewardFactor = _prevEarningsPool.cumulativeRewardFactor != 0
            ? _prevEarningsPool.cumulativeRewardFactor
            : PreciseMathUtils.percPoints(1, 1);

        earningsPool.cumulativeRewardFactor = prevCumulativeRewardFactor.add(
            PreciseMathUtils.percOf(prevCumulativeRewardFactor, _rewards, earningsPool.totalStake)
        );
    }
}

The prevCumulativeRewardFactor is initialized as _prevEarningsPool.cumulativeRewardFactor if it’s not equal to zero, so it’s initialized to PreciseMathUtils.percPoints(1, 1).
The problem is that if _prevEarningsPool.cumulativeRewardFactor is zero, it’s being set to PreciseMathUtils.percPoints(1, 1), which is equivalent to 1 in terms of percentage points. This might not be the desired behavior, especially if _prevEarningsPool.cumulativeRewardFactor is meant to represent a cumulative factor and can lead to incorrect calculations and potentially affect reward distribution for users in an earnings pool.

Proof of Concept

here real Scenario:

  • In certain scenarios, the _prevEarningsPool.cumulativeRewardFactor may be initialized to zero when the contract or system is first deployed or when a new round begins.
  • When the _prevEarningsPool.cumulativeRewardFactor is zero, it is currently being set to PreciseMathUtils.percPoints(1, 1) in the code, which is equivalent to a cumulative factor of 1 (100%).
  • This means that if _prevEarningsPool.cumulativeRewardFactor is intended to represent a cumulative factor that should start at 1 (100%), the code behaves correctly.
  • if _prevEarningsPool.cumulativeRewardFactor is meant to start at a different value (e.g., 0 or another value), this initialization logic is incorrect, potentially leading to inaccurate calculations.

Tools Used

manual review

Recommended Mitigation Steps

an example of how to fix the issue :

uint256 prevCumulativeRewardFactor;
if (_prevEarningsPool.cumulativeRewardFactor != 0) {
    prevCumulativeRewardFactor = _prevEarningsPool.cumulativeRewardFactor;
} else {
    prevCumulativeRewardFactor = PreciseMathUtils.percPoints(1, 1);
}

earningsPool.cumulativeRewardFactor = prevCumulativeRewardFactor.add(
    PreciseMathUtils.percOf(prevCumulativeRewardFactor, _rewards, earningsPool.totalStake)
);

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON