This repository has been archived by the owner on May 26, 2023. It is now read-only.
hickuphh3 - Loss of rewards if pointsPerShare
increment exceeds type(int256).max
#59
Labels
hickuphh3
medium
Loss of rewards if
pointsPerShare
increment exceedstype(int256).max
Summary
Rewards would be unrecoverable if
pointsPerShare
is incremented to more thantype(int256).max
.Vulnerability Detail
When rewards are distributed by calling
distributeRewards()
, the internal function_distributeRewards()
may causepointsPerShare
to overflow to a point where its multiplication withshares
cannot be safely casted toint256
.POC
Assume
pointsPerShare = 0
shares = getTotalShares() = 1
andamount = (type(int256).max) / POINTS_MULTIPLIER + 1
Then,
pointsPerShare
becomesThis would then cause
cumulativeRewardsOf()
<-withdrawableRewardsOf()
<-_prepareCollect()
to revert ie. claiming of rewards to revert because the safecasting toint256
would revert:causing distributed rewards to be unclaimable.
Impact
Rewards can never be claimed nor recovered.
Code Snippet
https://github.com/Merit-Circle/merit-liquidity-mining/blob/ce5feaae19126079d309ac8dd9a81372648437f1/contracts/base/AbstractRewards.sol#L74
https://github.com/Merit-Circle/merit-liquidity-mining/blob/ce5feaae19126079d309ac8dd9a81372648437f1/contracts/base/AbstractRewards.sol#L95-L97
Tool used
Manual Review
Recommendation
In
_distributeRewards()
, ensure thatpointsPerShare * shares
can be safely casted totoInt256
, ie. does not exceeduint256(type(int256).max)
.if (_amount > 0) { pointsPerShare = pointsPerShare + (_amount * POINTS_MULTIPLIER / shares); + if (pointsPerShare * shares > uint256(type(int256).max)) revert PointsOverflow(); emit RewardsDistributed(msg.sender, _amount); }
P.S the unsafe casting of
pointsPerShare
in_correctPoints
will be fine becausepointsPerShare
<pointsPerShare * shares
<=uint256(type(int256).max)
The text was updated successfully, but these errors were encountered: