search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

MISCALCULATION OF _REWARDELIGIBLESD #375

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/SDCollateral.sol#L202

Vulnerability details

Impact

SDCollateral.getRewardEligibleSD exhibits a logic flaw, leading to an incorrect computation of the reward-eligible SD amount. This issue stems from the absence of the totalMinThreshold subtraction from the Math.min(sdBalance, totalMaxThreshold) calculation. This oversight inaccurately determines the SD token portion, neglecting the crucial reserve of totalMinThreshold, which leads to false reward calculations. Consequently, any function reliant on the output of getRewardEligibleSD() could malfunction or yield imprecise results, potentially impacting areas such as reward distributions and more.

Proof of Concept

In the ternary logic entailed, if sdBalance < totalMinThreshold, _rewardEligibleSD equals 0. However, when sdBalance >= totalMinThreshold, the existing logic only considers the minimum of sdBalance and the totalMaxThreshold, without factoring in the totalMinThreshold. This leads to faulty calculations and can trigger issues across the system that depend on an accurate computation of reward-eligible SD amounts.

SDCollateral.sol#L193-L203

    function getRewardEligibleSD(address _operator) external view override returns (uint256 _rewardEligibleSD) {
        (uint8 poolId, , uint256 validatorCount) = getOperatorInfo(_operator);

        isPoolThresholdValid(poolId);
        PoolThresholdInfo storage poolThreshold = poolThresholdbyPoolId[poolId];

        uint256 totalMinThreshold = validatorCount * convertETHToSD(poolThreshold.minThreshold);
        uint256 totalMaxThreshold = validatorCount * convertETHToSD(poolThreshold.maxThreshold);
        uint256 sdBalance = operatorSDBalance[_operator];
        return (sdBalance < totalMinThreshold ? 0 : Math.min(sdBalance, totalMaxThreshold));
    }

Recommended Mitigation Steps

It is suggested refactoring getRewardEligibleSD() by subtracting totalMinThreshold from Math.min(sdBalance, totalMaxThreshold).

Assessed type

Math

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #238

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

Picodes marked the issue as grade-c