Code4renaCODE423N4:2024-01-CANTO-FINDINGS-ISSUES-9update_market() nextEpoch calculation incorrect
7.1 High
AI Score
Confidence
Low
Vulnerability details
Vulnerability details
A very important logic of update_market() is to update accCantoPerShare.
When updating, if it crosses the epoch boundary, it needs to use the corresponding epochβs cantoPerBlock[epoch].
For example:
cantoPerBlock[100000] = 100
cantoPerBlock[200000] = 0 (No reward)
lastRewardBlock = 199999
block.number = 200002
At this time, accCantoPerShare needs to be increased:
= cantoPerBlock[100000] * 1 Delta + cantoPerBlock[200000] *2 Delta
= 100 * (200000 - 199999) + 0 * (200002 - 200000) = 100
The code is as follows:
function update_market(address _market) public {
require(lendingMarketWhitelist[_market], "Market not whitelisted");
MarketInfo storage market = marketInfo[_market];
if (block.number > market.lastRewardBlock) {
uint256 marketSupply = lendingMarketTotalBalance[_market];
if (marketSupply > 0) {
uint256 i = market.lastRewardBlock;
while (i < block.number) {
uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH; // Rewards and voting weights are aligned on a weekly basis
@> uint256 nextEpoch = i + BLOCK_EPOCH;
uint256 blockDelta = Math.min(nextEpoch, block.number) - i;
uint256 cantoReward = (blockDelta *
cantoPerBlock[epoch] *
gaugeController.gauge_relative_weight_write(_market, epoch)) / 1e18;
market.accCantoPerShare += uint128((cantoReward * 1e18) / marketSupply);
market.secRewardsPerShare += uint128((blockDelta * 1e18) / marketSupply); // TODO: Scaling
i += blockDelta;
}
}
market.lastRewardBlock = uint64(block.number);
}
}
The above code, the calculation of nextEpoch is wrong
> uint256 nextEpoch = i + BLOCK_EPOCH;
The correct one should be
> uint256 nextEpoch = epoch + BLOCK_EPOCH;
As a result, the increase of accCantoPerShare becomes:
= cantoPerBlock[100000] * 3 Delta
= 100 * (200002 - 199999) = 300
Impact
The calculation of update_market() is incorrect when crossing the epoch boundary, causing the calculation of accCantoPerShare to be incorrect, which may increase the allocated rewards.
Proof of Concept
The following code demonstrates the above example
add to LendingLedgerTest.t.sol
function test_ErrorNextEpoch() external {
vm.roll(fromEpoch);
whiteListMarket();
//only set first , second cantoPerBlock = 0
vm.prank(goverance);
ledger.setRewards(fromEpoch, fromEpoch, amountPerBlock);
vm.prank(lendingMarket);
ledger.sync_ledger(lender, 1e18);
//set lastRewardBlock = nextEpoch - 10
vm.roll(fromEpoch + BLOCK_EPOCH - 10);
ledger.update_market(lendingMarket);
//cross-border
vm.roll(fromEpoch + BLOCK_EPOCH + 10);
ledger.update_market(lendingMarket);
//show more
(uint128 accCantoPerShare,,) = ledger.marketInfo(lendingMarket);
console.log("accCantoPerShare:",accCantoPerShare);
console.log("more:",accCantoPerShare - amountPerEpoch);
}
$ forge test -vvv --match-test test_ErrorNextEpoch
Running 1 test for src/test/LendingLedger.t.sol:LendingLedgerTest
[PASS] test_ErrorNextEpoch() (gas: 185201)
Logs:
accCantoPerShare: 1000100000000000000
more: 100000000000000
Recommended Mitigation
function update_market(address _market) public {
require(lendingMarketWhitelist[_market], "Market not whitelisted");
MarketInfo storage market = marketInfo[_market];
if (block.number > market.lastRewardBlock) {
uint256 marketSupply = lendingMarketTotalBalance[_market];
if (marketSupply > 0) {
uint256 i = market.lastRewardBlock;
while (i < block.number) {
uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH; // Rewards and voting weights are aligned on a weekly basis
- uint256 nextEpoch = i + BLOCK_EPOCH;
+ uint256 nextEpoch = epoch + BLOCK_EPOCH;
Assessed type
Error
The text was updated successfully, but these errors were encountered:
All reactions
7.1 High
AI Score
Confidence
Low