Lines of code

Vulnerability details

Impact

Rewards and voting weights are aligned on a weekly basis. However, nextEpoch is calculated incorrectly, which may break the invariant “The total rewards that are sent for one block should never be higher than the rewards that were configured for this block.”

Proof of Concept

            uint256 i = market.lastRewardBlock;
            while (i < block.number) {
                uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH; // Rewards and voting weights are aligned on a weekly basis
                uint256 nextEpoch = i + BLOCK_EPOCH;
                uint256 blockDelta = Math.min(nextEpoch, block.number) - i;
                uint256 cantoReward = (blockDelta *
                    cantoPerBlock[epoch] *
                    gaugeController.gauge_relative_weight_write(_market, epoch)) / 1e18;
                market.accCantoPerShare += uint128((cantoReward * 1e18) / marketSupply);
                market.secRewardsPerShare += uint128((blockDelta * 1e18) / marketSupply); // TODO: Scaling
                i += blockDelta;
            }

Suppose BLOCK_EPOCH is 10, from block 30 to block 40 reward is 10 per block, from block 40 to block 50 reward is 1 per block. lastRewardBlock is 35, current block is 50. Then epoch will be 30, nextEpoch will be 45(should be 40) and blockDelta will be 10. Which means reward is calculated as 10 from block 35 to block 45. However, the real reward is only 1 from block 40 to block 45, which breaks the invariant.

Tools Used

Manual

Recommended Mitigation Steps

                uint256 nextEpoch = epoch + BLOCK_EPOCH;

Assessed type

Context

The text was updated successfully, but these errors were encountered:

All reactions