Neo Tokyo contest - kaden's results

Lines of code

https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/NeoTokyoStaker.sol#L1623

Vulnerability details

Impact

An attacker may artificially inflate their points as much as they like by exploiting a loss of precision.

Proof of Concept

In _withdrawLP(), there exists logic to check how many points to decrement the users LP pool position by, according to the amount they took out and the multiplier they had applied.

// _withdrawLP() - NeoTokyoStaker.sol:L1623-1627
uint256 points = amount * 100 / 1e18 * lpPosition.multiplier / _DIVISOR;
...
lpPosition.points -= points;

The problem however with this logic is that there is a loss of precision in calculating the points such that if the amount is less than 1e16, points will be 0.

This allows the following attack to take place:

• Deposit LP tokens
• Make many <0.01 LP token withdrawals
• Repeat as desired to obtain significant stake in total LP pool

Based on the maximum size of withdrawals for this attack to function, <0.01 LP tokens, it may seem unlikely to be possible. However, a very small number of LP tokens may correspond to a very valuable position. Take for example this transaction displaying a deposit of ~$7k in liquidity to the Uniswap v2 USDT/WETH pool, obtaining only ~0.000037 LP tokens. It's also important to consider other ways in which this attack may be possible, e.g. if the LP token has less than 18 decimals.

Therefore, it is easily possible for an attacker to significantly manipulate their points in the LP token pool such that they earn a significant portion, or even the entirety, of the rewards assigned to the pool.

Recommended Mitigation Steps

It may be necessary to reconfigure points to be normalized to 18 decimal places throughout the protocol such that precision isn't lost.