code-423n4 / 2021-07-sherlock-findings

0 stars 0 forks source link

uncheckable math in `payout()` #126

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

0xsanson

Vulnerability details

Impact

In the payout() function in Payout.sol, we have this block of code:

if (unallocatedSherX > 0) {
  ...
  // Subtract from unallocated, as the tokens are now allocated to this payout call
  ps.unallocatedSherX = ps.unallocatedSherX.sub(unallocatedSherX);
  // Update the memory variable `totalUnallocatedSherX` to execute on `_doSherX` later
  totalUnallocatedSherX = totalUnallocatedSherX.add(unallocatedSherX);
}

These two equations can be calculated with unchecked math:

the first because we already have require(ps.unallocatedSherX >= unallocatedSherX) some lines before;
the second because the sum of all unallocatedSherX for every token should be bounded by the total supply of SherX.

Proof of Concept

Payout.sol L142

Tools Used

editor

Recommended Mitigation Steps

Uncheck the math to save a little gas.

Evert0x commented 3 years ago

Fair point, not really worth it to optimize the payout function as it will likely not be called a lot.