search

sherlock-audit / 2023-06-tokemak-judging

10 stars 8 forks source link

BTK - `pow()` function returns inconsistent values #31

Closed sherlock-admin2 closed 10 months ago

sherlock-admin2 commented 10 months ago

BTK

medium

pow() function returns inconsistent values

Summary

The GPToke.previewPoints function calculates the points a user will earn by staking a specified amount for a given duration. It ensures the duration is within valid limits, then calculates points using a formula involving the staking duration and a multiplier. The function returns the earned points and the staking end time.

The multiplier is calculated using pow() as follow:

        uint256 multiplier = PRBMathUD60x18.pow(YEAR_BASE_BOOST, endYearpoc);

Vulnerability Detail

The issue is that PRBMath contains a critical vulnerability in the pow() function, which can return inconsistent values. This vulnerability is of great importance to the Tokemak protocol, as the function is used in the computation of how many points a user should get.

GPToke.previewPoints function is called in both:

Recently, another protocol has also experienced the same bug, and the creators of the PRBMath have acknowledged this situation:

https://github.com/sablier-labs/v2-core/pull/432

Impact

PRBMath pow() function can return inconsistent values.

Code Snippet

Tool used

Manual Review

Recommendation

To mitigate this issue, please update the contracts to 0.8.19 and upgrade the PRBMath to version V4 because these errors have been corrected(Link).

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

according https://github.com/PaulRBerg/prb-math/issues/181, the issue happens when calculating x^y and x < 1e18. But in the current implementation, x = YEAR_BASE_BOOST = 18e17 > 1e18