New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The function BondNFT.sol#claim() is calculated incorrectly on rewards. #523
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-630
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Dec 16, 2022
Making primary as it has well developed math |
c4-judge
added
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 22, 2022
GalloDaSballo marked the issue as primary issue |
This was referenced Dec 22, 2022
c4-judge
removed
the
primary issue
Highest quality submission among a set of duplicates
label
Dec 22, 2022
GalloDaSballo marked the issue as duplicate of #630 |
GalloDaSballo changed the severity to 2 (Med Risk) |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
downgraded by judge
Judge downgraded the risk level of this issue
and removed
3 (High Risk)
Assets can be stolen/lost/compromised directly
labels
Jan 22, 2023
GalloDaSballo marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Jan 22, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-630
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/BondNFT.sol#L177-L183
Vulnerability details
Impact
Some users will lose some rewards, and malicious users can use this to gain more rewards.
Proof of Concept
In function BondNFT.sol#claim(), if the claiming bond is expired, the excess of its rewards is re-distributed to all other users:
The following table illustrates the states and transitions of an BondNFT:
Let's use the above table as an example to analyze the problems.
1. Miscalculation of accRewardsPerShare
The
_pendingDelta
is the rewards to be re-distributed, and the formula is:This formula is wrong. Because the
totalShares[bond.asset]
includes the expired shares of the claiming bond, which should not be included.For example, in h7 of the above table
claim(b1)
is called:_pendingDelta = 20u
is re-distributedtotalShares = 300s
(each of b1, b3, b4 has 100s)Thus,
accRewardsPerShare
will increase by_pendingDelta/totalShares = 20u/300s = 0.06666667
, which results in the pending reward of b3 and b4 increasing 6.7u each.This is not correct, the
20u/300s
should be corrected to20u/(300s-100s)
, subtracting shares of b1 from total shares.i.e. The h7 should be:
2. Unfair re-distribution
The
_pendingDelta
is re-distributed to all shares of the current epoch.This is not fair for bonds that have been released after the expire time of this claiming bond.
For example, in h7 of the above table
claim(b1)
is called. The_pendingDelta = 20u
is re-distributed to b3 and b4.But in fact it should belong to b2 and b3. Because this
_pendingDelta
is generated at h3, when b2's share is still there and has not expired, and b4 has not been created yet.Tools Used
Manual
Recommended Mitigation Steps
The wrong calculation at BondNFT.sol#claim() should be corrected as:
And for the "unfair re-distributed", there seems to be no easy way to fix it.
Maybe a scheme like liquidity mining can be considered.
The text was updated successfully, but these errors were encountered: