Lines of code

Vulnerability details

BondingManager.sol have 2 mathUtils libraries, MathUtils use 1e6 as precision while PreciseMathUtils use 1e27 as precision.
Some variable use MathUtils while other use PreciseMathUtils which might cause confusion.
It happen with treasuryRewardCutRate variable which require PreciseMathUtils (comment) but mistakenly use MathUtils instead on this specific line

Impact

Function updateTranscoderWithFees() not workinga as intended and always revert when calling twice for current round.

Proof of Concept

    // Deduct what would have been the treasury rewards
    uint256 treasuryRewards = MathUtils.percOf(rewards, treasuryRewardCutRate);//@audit M treasury rate is 1e27. Here it is 1e6
    rewards = rewards.sub(treasuryRewards);//@note reward now send some percentage to treasury

treasuryRewardCutRate decimal value is 1e27 which suppose to use with PreciseMathUtils.percOf for all operation.

Like implemented in rewardWithHint() from same contract.

treasuryRewardCutRate is 0.1e27 in config

So this second line rewards = rewards - (rewards * treasuryRewardCutRate /1e6) always underflow and revert.

Tools Used

manual

Recommended Mitigation Steps

Change MathUtils to PreciseMathUtils

    // Deduct what would have been the treasury rewards
    uint256 treasuryRewards = PreciseMathUtils.percOf(rewards, treasuryRewardCutRate);
    rewards = rewards.sub(treasuryRewards);

Assessed type

Decimal

---

The text was updated successfully, but these errors were encountered:

All reactions