Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-09-VENUS-FINDINGS-ISSUES-673
HistoryOct 04, 2023 - 12:00 a.m.

User Score Not Updated During Interest Claim, Leading to Incorrect Interest Calculations

2023-10-0400:00:00
Code4rena
github.com
5
incorrect interest calculations
outdated score
claiming mechanism

7.1 High

AI Score

Confidence

Low

JSON

Lines of code
<https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L597-L601&gt;
<https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L672-L697&gt;

Vulnerability details

Impact

This oversight in the contract logic may lead to incorrect interest calculations for users. Specifically, if a user’s balance or the factors contributing to the score changes between interest accruals (due to actions outside of staking more tokens), the system might use an outdated score to calculate the interest for the user during claims. This could result in users either claiming less or more interest than they are entitled to, thereby compromising the integrity of the platform’s reward distribution mechanism.

Proof of Concept

1. Incorrect Interest Accrual:

  • When a user initiates the claimInterest function, the contract computes the interest accrued via getInterestAccrued, which in turn invokes accrueInterest. This method adjusts the rewardIndex of the market considering the accrued income since the last distribution.
    Link to claimInterest()
    Link to getInterestAccrued

2. User Score Calculation:

  • A user’s score is adjusted only within the _updateScore method, which is invoked when the xvsUpdated function runs, typically when more tokens are staked by the user.
    Link to _updateScore

3. Lack of Score Update during Interest Claiming:

  • Notably, during the process of interest claim (_claimInterest), the user’s score does not get updated.
    Link to _claimInterest

Illustrative Scenario (For PoC clarity):
Imagine user Alice whose initial score was 100. Over time, due to various activities on the platform, her effective score should now be 120. However, because she hasn’t staked more tokens recently, her score remains outdated in the system. When Alice goes to claim her interest, the system calculates her rewards based on the old score of 100 instead of the updated score of 120. This results in Alice receiving less interest than she is rightfully owed.

Tools Used

  • Manual Inspection

Recommended Mitigation Steps

  1. Update Score during Interest Claim: Incorporate logic to update the user’s score within the claimInterest function. This ensures that the most recent score is always used during interest calculation.

  2. Trigger-based Score Update: Implement a trigger mechanism that updates a user’s score anytime there’s an action that might change it, not just during staking.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

7.1 High

AI Score

Confidence

Low

JSON