Possible rounding during the reward calculation #30
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-04
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/erc20/RewardableERC20.sol#L86
Vulnerability details
Impact
Some rewards might be locked inside the contract due to the rounding loss.
Proof of Concept
_claimAndSyncRewards()
claimed the rewards from the staking contract and tracksrewardsPerShare
with the current supply.It uses one as a multiplier and from this setting we know it has the same decimals as
underlying
(thustotalSupply
).My concern is
_claimAndSyncRewards()
is called for each deposit/transfer/withdraw in _beforeTokenTransfer() and it will make the rounding problem more serious.totalSupply = 10**6 with 18 decimals
,rewardToken
has 6 decimals.And total rewards for 1 year are
1M rewardToken
for1M totalSupply
._claimAndSyncRewards()
might be called every 1 min due to the frequent user actions.1000000 / 365 / 24 / 60 = 1.9 rewardToken = 1900000 wei
.1900000 * 10**18 / (1000000 * 10**18) = 1
.So users would lose almost 50% of rewards due to the rounding loss and these rewards will be locked inside the contract.
Tools Used
Manual Review
Recommended Mitigation Steps
I think there would be 2 mitigation.
_claimAndSyncRewards()
like this.Assessed type
Math
The text was updated successfully, but these errors were encountered: