Platform: Code4rena
Start Date: 08/03/2023
Pot Size: $60,500 USDC
Total HM: 2
Participants: 123
Period: 7 days
Judge: hansfriese
Id: 220
League: ETH
Rank: 42/123
Findings: 1
Award: $154.74
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rokso
Also found by: 0x52, 0xnev, ABA, BPZ, DadeKuma, Haipls, J4de, Jeiwan, Josiah, Krace, LegendFenGuin, Lirios, MadWookie, RaymondFam, Ruhum, Toshii, UdarTeam, aashar, ak1, anodaram, auditor0517, carlitox477, cccz, jekapi, juancito, kaden, kenzo, minhquanym, nobody2018, rbserver, rokso, ulqiorra
154.74 USDC - $154.74
LP can be unstaked while retaining the points associated with it
PoolData storage pool = _pools[AssetType.LP]; unchecked { uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR; <- @audit-issue precision loss // Update the caller's LP token stake. lpPosition.amount -= amount; lpPosition.points -= points; // Update the pool point weights for rewards. pool.totalPoints -= points; }
When calculating there is precision loss during the calculation because of the early division by 1e18. The result is that if amount < 1e16 then points will be 0. This means that the user stills receives their LP but doesn't lose the corresponding points. An adversary can abuse this by depositing then withdrawing their LP in small chunks so that their LP is unstaked but they still retain all their points.
Manual Review
Change order of operations to prevent this precision loss:
unchecked { - uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR; + uint256 points = amount * lpPosition.multiplier / 1e18;
#0 - c4-judge
2023-03-16T05:44:02Z
hansfriese marked the issue as satisfactory
#1 - c4-judge
2023-03-16T05:44:19Z
hansfriese marked the issue as duplicate of #348
#2 - c4-judge
2023-03-21T09:19:29Z
hansfriese marked the issue as duplicate of #261