Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2024-01-CANTO-FINDINGS-ISSUES-10
HistoryJan 28, 2024 - 12:00 a.m.

update_market() market weight incorrect

2024-01-2800:00:00
Code4rena
github.com
6
update market
weight
time parameter
gauge controller
lending ledger
epoch
mitigation
error
vulnerability
canto reward
block number

7.1 High

AI Score

Confidence

Low

JSON

Lines of code

Vulnerability details

Vulnerability details

in update_market()
We need to get the weight percentage of the corresponding market epoch through gaugeController
Then allocate cantoPerBlock[epoch] according to the percentage
The main logic code is as follows:

    function update_market(address _market) public {
        require(lendingMarketWhitelist[_market], "Market not whitelisted");
        MarketInfo storage market = marketInfo[_market];
        if (block.number > market.lastRewardBlock) {
            uint256 marketSupply = lendingMarketTotalBalance[_market];
            if (marketSupply > 0) {
                uint256 i = market.lastRewardBlock;
                while (i < block.number) {
                    uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH; // Rewards and voting weights are aligned on a weekly basis
                    uint256 nextEpoch = i + BLOCK_EPOCH;
                    uint256 blockDelta = Math.min(nextEpoch, block.number) - i;
                    uint256 cantoReward = (blockDelta *
                        cantoPerBlock[epoch] *
@>                      gaugeController.gauge_relative_weight_write(_market, epoch)) / 1e18;
                    market.accCantoPerShare += uint128((cantoReward * 1e18) / marketSupply);
                    market.secRewardsPerShare += uint128((blockDelta * 1e18) / marketSupply); // TODO: Scaling
                    i += blockDelta;
                }
            }
            market.lastRewardBlock = uint64(block.number);
        }
    }
  1. Calculate epoch
  2. Then get the corresponding weight of the market through gaugeController.gauge_relative_weight_write(market,epoch)

The problem is that epoch is block number

> market.lastRewardBlock = uint64(block.number)
uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH

But the second parameter of gaugeController.gauge_relative_weight_write(market,epoch) is time

gauge_relative_weight_write()->_gauge_relative_weight()

contract GaugeController {
@>  uint256 public constant WEEK = 7 days;
...
    function _gauge_relative_weight(address _gauge, uint256 _time) private view returns (uint256) {
@>      uint256 t = (_time / WEEK) * WEEK;
        uint256 total_weight = points_sum[t].bias;
        if (total_weight > 0) {
            uint256 gauge_weight = points_weight[_gauge][t].bias;
            return (MULTIPLIER * gauge_weight) / total_weight;
        } else {
            return 0;
        }
    }

For example, the current canto BLOCK: 7999034
After calculation in gaugeController, it is: 7999034 / WEEK * WEEK = 1970-04-02
The wrong time cycle, the weight obtained is basically 0, so the reward cannot be obtained

Impact

Incorrectly using block number as a time parameter, unable to get weight, unable to accumulate rewards

Recommended Mitigation

It is recommended that LendingLedger refer to GaugeController, and also use time to record epoch

Assessed type

Error

The text was updated successfully, but these errors were encountered:

All reactions

7.1 High

AI Score

Confidence

Low

JSON