Every time an accaunt's shares are minted or burned, there is a point correction calculation for the account, which involves uint256 pointsPerShare. To do the needed multiplication *shares pointsPerShare**, we have to cast all operands to same type.
In function _correctPoints() shares represented as int256 _shares.
So we need to cast uint256 pointsPerShare to int256.
The way it is done: int256(pointsPerShare) will lead to problems when pointsPerShare become > type(int256).max
Impact
Unsafe cast will lead pointsPerShare to have some negative value in scope of this calculation, which will lead to wrong value for pointsCorrection[_account] to be stored, and as result wrong amount of rewards distributed to the account.
JohnSmith
medium
Unsafe cast on point correction calculations
Summary
Unsafe cast may lead to wrong results.
Vulnerability Detail
Every time an accaunt's shares are minted or burned, there is a point correction calculation for the account, which involves
uint256 pointsPerShare. To do the needed multiplication *shares pointsPerShare**, we have to cast all operands to same type. In function_correctPoints()shares represented asint256 _shares. So we need to castuint256 pointsPerSharetoint256. The way it is done:int256(pointsPerShare)will lead to problems whenpointsPerSharebecome >type(int256).maxImpact
Unsafe cast will lead
pointsPerShareto have some negative value in scope of this calculation, which will lead to wrong value forpointsCorrection[_account]to be stored, and as result wrong amount of rewards distributed to the account.Code Snippet
Tool used
Manual Review
Recommendation
Use
SafeCastlibrary to safely cast theuint256toint256Duplicate of #59