You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
Curve values are not checked to be in increasing order. Leading to revert of several core functions.
Summary
The curve values in TimeLockPool.sol are not checked to be in increasing order, which might result in all functions which uses the getMultiplier function to revert.
Vulnerability Detail
Looking at the getMultiplier code, the return statement of getMultiplier involves a calculation of curve[n + 1] - curve[n]. This assumes that the curve value at index n+1 is greater than or equal to the one at index n. If that is not the case, the function will revert, resulting in revert of the calling function.
The curve values are set in the following functions:
Suppose the lock duration passed to getMultiplier falls in the curve between indices i and i+1.
If curve[i+1] < curve[i], then these functions will revert due to an underflow error in subtraction in line 245 of TimeLockPool.
Code Snippet
getMultiplier function:
function getMultiplier(uint256_lockDuration) publicviewreturns(uint256) {
// There is no need to check _lockDuration amount, it is always checked before// in the functions that call this function// n is the time unit where the lockDuration standsuint n = _lockDuration / unit;
// if last point no need to interpolate// trim de curve if it exceedes the maxBonus // TODO check if this is neededif (n == curve.length-1) {
return1e18+ curve[n];
}
// linear interpolation between pointsreturn1e18+ curve[n] + (_lockDuration - n * unit) * (curve[n +1] - curve[n]) / unit;
}
Tool used
Manual Review
Recommendation
Include a require condition check before the curve values are set. For example the initialization function where curve values are initially set can be modified like this:
for (uint i=0; i < _curve.length; i++) {
if (_curve[i] > _maxBonus) {
revertMaxBonusError();
}
if (i >0&& _curve[i] > _curve[i-1]) {
revertInvalidCurveValue();
}
curve.push(_curve[i]);
}
ElKu
medium
Curve values are not checked to be in increasing order. Leading to revert of several core functions.
Summary
The curve values in
TimeLockPool.sol
are not checked to be in increasing order, which might result in all functions which uses thegetMultiplier
function to revert.Vulnerability Detail
Looking at the
getMultiplier
code, the return statement of getMultiplier involves a calculation ofcurve[n + 1] - curve[n]
. This assumes that the curve value at indexn+1
is greater than or equal to the one at indexn
. If that is not the case, the function will revert, resulting in revert of the calling function.The curve values are set in the following functions:
None of these functions check if the current point on curve is greater than the previous point set.
Impact
There are several functions which use getMultiplier. They are:
TimeLockPool.sol
TimeLockPool.sol
TimeLockPool.sol
View.sol
Suppose the
lock duration
passed togetMultiplier
falls in the curve between indicesi
andi+1
.If
curve[i+1]
<curve[i]
, then these functions will revert due to an underflow error in subtraction in line 245 ofTimeLockPool
.Code Snippet
getMultiplier function:
Tool used
Manual Review
Recommendation
Include a
require
condition check before the curve values are set. For example the initialization function where curve values are initially set can be modified like this:Duplicate of #111
The text was updated successfully, but these errors were encountered: