search

code-423n4 / 2023-10-canto-findings

0 stars 1 forks source link

users will receive lesser rewards than they are supposed to. #303

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-canto/blob/29c92a926453a49c8935025a4d3de449150fc2ff/canto_ambient/contracts/mixins/LiquidityMining.sol#L188

Vulnerability details

Impact

Due to risky math being used in the contract LiquidityMining.sol, the user could lose their rewards.

Proof of Concept

The calculation for user rewards in the LiquidityMining.sol Contract in multple instances divides the rewards earned by the user with a value that is much larger than it. This is risky because if the numerator is small enough in comparison to the denominator, the rewards earned by the user will end up becoming zero when they were actually not. This will cause the users to miss out on rewards that they earned. The documentaion clearly states that this is something that should not happen i.e a user receiving lesser rewards than they were supposed to.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider setting a minimum value of rewards before the user can get the rewards. Determine this minimum value in a way that the calculation will not end up being zero. Let the user rewards accumulate until they reach the minimum value and then disperse them to the user in the epoch when it does reach the minimum threshold.

Assessed type

Math

c4-pre-sort commented 1 year ago

141345 marked the issue as duplicate of #10

c4-pre-sort commented 1 year ago

141345 marked the issue as sufficient quality report

c4-judge commented 1 year ago

dmvt marked the issue as unsatisfactory: Out of scope