total commission to receive >= SUM(commission to pay)
When there are many delegators in the validator node, the difference between the two will be relatively large. The staking rewards calculated in this way are too much.
-An extreme case:
1.Total staking 1000w (ignore the validator's own 100), of which there are 1000 delegators, each 1w, and commission 1%
Assuming that the income of each high POS is 36466258 (microcredits), and the total staking is 20000w, the income of the validator is 1823312 (36466258/20)
According to the above algorithm
The commission income is 18233 (microcredits)
Each delegator deducts a commission of 18 (microcredits) and the total deduction of the commission is 18000 (microcredits)
The actual calculated income is 1823545 (1823312+233)
marco-storswift
Medium
The statistics of staking_rewards have precision errors
Summary
The statistics of staking_rewards have precision errors
Vulnerability Detail
https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/src/vm/helpers/rewards.rs#line101
Impact
total commission to receive >= SUM(commission to pay) When there are many delegators in the validator node, the difference between the two will be relatively large. The staking rewards calculated in this way are too much. -An extreme case: 1.Total staking 1000w (ignore the validator's own 100), of which there are 1000 delegators, each 1w, and commission 1%
Code Snippet
Tool used
Manual Review
Recommendation
For modification scheme, refer to https://github.com/SoterARC0038/snarkVM/blob/0875caea697ca3ad7c4577c4876e3d49faf99c66/synthesizer/src/vm/helpers/rewards.rs#L51