Open hats-bug-reporter[bot] opened 7 months ago
My issue with the proposed fix is that the mapping periodBlockCheckpoint
will be filled with incorrect block.number
to fetch data in the case of allocations.
Make _findBlockNumberForTimestamp
function in HolyPalPower
as public and use it.
function _findBlockNumberForTimestamp(uint256 timestamp) internal view returns(uint256) {
uint256 deltaBlocks = block.number - ANCHOR_BLOCK;
uint256 deltaTs = block.timestamp - ANCHOR_TIMESTAMP;
uint256 secPerBlock = (deltaTs * SCALE_UNIT) / deltaBlocks;
return block.number - (((block.timestamp - timestamp) * SCALE_UNIT) / secPerBlock);
}
Or make the same function in LootCreator
.
function _updatePeriod() internal {
while (nextBudgetUpdatePeriod <= block.timestamp) {
- periodBlockCheckpoint[nextBudgetUpdatePeriod] = block.number;
+ periodBlockCheckpoint[nextBudgetUpdatePeriod] = _findBlockNumberForTimestamp(nextBudgetUpdatePeriod);
}
}
@Kogaroshi , what do you think?
Since we also use _findBlockNumberForTimestamp
to find the user lock for a given timestamp, we can use the same logic to find the block.number
at which we want to get the totalLocked
, since in both case we'd have the same block.number so a better consistency.
I'll work on a fix with those changes.
Changes made in https://github.com/PaladinFinance/Vote-Flywheel/pull/2/commits/3b0fe63eeb38718fb96d06329012cde349de8c38 All methods are not fully tested now, will add new tests later on.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xd60b2a57fbcee8f5b277914c96b660c20fe206b1650244efb1a31badd49c38cd Severity: medium
Description: Description\ We have an important function called
_updatePeriod
inLootCreator
. Within this function, we update the current period budget, handle pending budgets, and update some criticalvariables
. It's essential to execute these updates correctly to ensure receiving PAL and extra token rewards.Attack Scenario\
nextBudgetUpdatePeriod
, and we initialize its initial value in theconstructor
.distributor
notifies theLootCreator
, it invokes the_updatePeriod
function.In the
_updatePeriod
function, we cannot be sure thatnextBudgetUpdatePeriod
is larger than theperiod
.This can lead to several vulnerabilities.
Because the
period
is larger thannextBudgetUpdatePeriod
, theperiodBudget[period]
is0
, sogaugeBudgetPerPeriod
is also0
. And we only allocate thegauge
for theperiod
once. This means that users cannot claim rewards for thisgauge
andperiod
._createLoot
function may not work correctly becauseperiodBlockCheckpoint[period]
is not updated yet.Of course, there is an external function called
updatePeriod
, and if we trust that a trusted entity always ensures the proper update, there is no need to call this function when the distributor notifies theLootCreator
. AttachmentsProof of Concept (PoC) File
Revised Code File (Optional)
Modify
_updatePeriod
function.while (nextBudgetUpdatePeriod <= block.timestamp) { // Save the current block number for checkpointing periodBlockCheckpoint[nextBudgetUpdatePeriod] = block.number;