SDCollateral.getRewardEligibleSD exhibits a logic flaw, leading to an incorrect computation of the reward-eligible SD amount. This issue stems from the absence of the totalMinThreshold subtraction from the Math.min(sdBalance, totalMaxThreshold) calculation. This oversight inaccurately determines the SD token portion, neglecting the crucial reserve of totalMinThreshold, which leads to false reward calculations. Consequently, any function reliant on the output of getRewardEligibleSD() could malfunction or yield imprecise results, potentially impacting areas such as reward distributions and more.
Proof of Concept
In the ternary logic entailed, if sdBalance < totalMinThreshold, _rewardEligibleSD equals 0. However, when sdBalance >= totalMinThreshold, the existing logic only considers the minimum of sdBalance and the totalMaxThreshold, without factoring in the totalMinThreshold. This leads to faulty calculations and can trigger issues across the system that depend on an accurate computation of reward-eligible SD amounts.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/SDCollateral.sol#L202
Vulnerability details
Impact
SDCollateral.getRewardEligibleSD
exhibits a logic flaw, leading to an incorrect computation of the reward-eligible SD amount. This issue stems from the absence of thetotalMinThreshold
subtraction from theMath.min(sdBalance, totalMaxThreshold)
calculation. This oversight inaccurately determines the SD token portion, neglecting the crucial reserve oftotalMinThreshold
, which leads to false reward calculations. Consequently, any function reliant on the output ofgetRewardEligibleSD()
could malfunction or yield imprecise results, potentially impacting areas such as reward distributions and more.Proof of Concept
In the ternary logic entailed, if
sdBalance < totalMinThreshold
,_rewardEligibleSD
equals 0. However, whensdBalance >= totalMinThreshold
, the existing logic only considers the minimum ofsdBalance
and thetotalMaxThreshold
, without factoring in thetotalMinThreshold
. This leads to faulty calculations and can trigger issues across the system that depend on an accurate computation of reward-eligible SD amounts.SDCollateral.sol#L193-L203
Recommended Mitigation Steps
It is suggested refactoring
getRewardEligibleSD()
by subtractingtotalMinThreshold
fromMath.min(sdBalance, totalMaxThreshold)
.Assessed type
Math