The issue highlighted a unique edge case pertaining to the fact that upon a user claiming their rewards, the virtualrewards amountcan round down to zero upon careful selection of share amount as a parameter, as can be seen in the formula below:
Passing certain share amounts can force the calculation above to round down to zero, which then means the user can claim more rewards than they should:
Lines of code
Vulnerability details
Lines of code
Vulnerability details
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/1021
Comments
The issue highlighted a unique edge case pertaining to the fact that upon a user claiming their rewards, the virtualrewards amountcan round down to zero upon careful selection of share amount as a parameter, as can be seen in the formula below:
Passing certain share amounts can force the calculation above to round down to zero, which then means the user can claim more rewards than they should:
Mitigation
https://github.com/othernet-global/salty-io/commit/b3b8cb955db2b9f0e47a4964e1e4f833a447a72d
As is evident in the mitigation, The final mitigation for this was to simply round up the virtual rewards as follows:
Conclusion
LGTM