Incorrect rewards calculation with low balances (rounding down to zero)

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2024-03-abracadabra-money/blob/1f4693fdbf33e9ad28132643e2d6f7635834c6c6/src/staking/LockingMultiRewards.sol#L292-L295

Vulnerability details

[M-08] Incorrect rewards calculation with low balances (rounding down to zero)

Impact

• In LockingMultiRewards contract: whenever a user stakes, withdraws or claims his rewards; his rewards are updated via _updateRewardsForUser() function, where it loops over reward tokens and updates the rewards[user_][token_] via _udpateUserRewards() function:

    function _updateRewardsForUser(address user) internal {
        uint256 balance = balanceOf(user);
        uint256 totalSupply_ = totalSupply();
  
        for (uint256 i; i < rewardTokens.length; ) {
            address token = rewardTokens[i];
            _udpateUserRewards(user, balance, token, _updateRewardsGlobal(token, totalSupply_));
  
            unchecked {
                ++i;
            }
        }
    }

    function _udpateUserRewards(address user_, uint256 balance_, address token_, uint256 rewardPerToken_) internal {
        rewards[user_][token_] = _earned(user_, balance_, token_, rewardPerToken_);
        userRewardPerTokenPaid[user_][token_] = rewardPerToken_;
    }

    function _earned(address user, uint256 balance_, address rewardToken, uint256 rewardPerToken_) internal view returns (uint256) {
        uint256 pendingUserRewardsPerToken = rewardPerToken_ - userRewardPerTokenPaid[user][rewardToken];
  
        return ((balance_ * pendingUserRewardsPerToken) / 1e18) + rewards[user][rewardToken];
    }

• But as can be noticed from _earned() function; if the balance_ * pendingUserRewardsPerToken is less than 1e18, it will be rounded down to zero and the _earned() function will return the same old value without update.

Proof of Concept

LockingMultiRewards._earned function

    function _earned(address user, uint256 balance_, address rewardToken, uint256 rewardPerToken_) internal view returns (uint256) {
        uint256 pendingUserRewardsPerToken = rewardPerToken_ - userRewardPerTokenPaid[user][rewardToken];
        return ((balance_ * pendingUserRewardsPerToken) / 1e18) + rewards[user][rewardToken];
    }

Tools Used

Manual Review.

Recommended Mitigation Steps

Implement a mechanism that prevents updating the rewards[user_][token_] if (balance_ * pendingUserRewardsPerToken) is < 1e18 .

Assessed type

Math

[0xm3rlin]

no factor

[c4-pre-sort]

141345 marked the issue as insufficient quality report

[141345]

similar to https://github.com/code-423n4/2024-03-abracadabra-money-findings/issues/166, but lack detailed POC why rounding could have problem

[thereksfour]

Invalid, 1e18 is the amplifier for rewardPerToken_ to prevent rounding losses, divided by 1e18 is the correct reward amount

[c4-judge]

thereksfour marked the issue as unsatisfactory: Invalid