search

sherlock-audit / 2024-05-sophon-judging

7 stars 6 forks source link

Ragnark_323 - Pending Points Calculation Returns Zero for user Deposits due to incorrect precision handling #193

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

Ragnark_323

high

Pending Points Calculation Returns Zero for user Deposits due to incorrect precision handling

Summary

The SophonFarming contract has an issue with the calculation of pending points. When depositing tokens, the pending points are calculated as zero. This issue arises due to precision handling in the _pendingPoints function.

Vulnerability Detail

The vulnerability stems from precision loss in the _pendingPoints function.the calculation in the _pendingPoints function involves improper scaling multiple times, This leads to precision loss, resulting in an incorrect calculation of the user's pending points..please refer the foundry POC attached

below is the foundry Poc

function test_setOneDepositorPerPool() public {
        vm.prank(deployer);
         sophonFarming.setEndBlock(block.number + 100, 50);

        uint256 amountToDeposit1 = 100e18;
        uint256 poolId1 = sophonFarming.typeToId(SophonFarmingState.PredefinedPool.wstETH);

        vm.startPrank(account1);
        deal(address(wstETH), account1, amountToDeposit1);

        wstETH.approve(address(sophonFarming), amountToDeposit1);
        sophonFarming.deposit(poolId1, amountToDeposit1, 0);

        vm.stopPrank();

        vm.prank(deployer);
        sophonFarming.setEndBlock(block.number + 10, 10);
        vm.roll(block.number + 20);

         vm.startPrank(account1);
        uint y = sophonFarming.pendingPoints(poolId1,msg.sender);
        console.log("Y : ",y);
        vm.stopPrank();

        vm.startPrank(account1);
        uint x = sophonFarming.withdraw(poolId1,amountToDeposit1/2);
        console.log("x : ",x);
        vm.stopPrank();
   }

   note:please consider adding the ` return _withdrawAmount;` in the `withdraw()` function to verify

sophon_poc

Impact

Pending Points Calculation Returns Zero for Valid Deposits in SophonFarming Contract

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/05059e53755f24ae9e3a3bb2996de15df0289a6c/farming-contracts/contracts/farm/SophonFarming.sol#L357C5-L384C6

Tool used

Foundry

Recommendation

Consider reevaluating the precision handling in the _pendingPoints function to ensure accurate calculation of pending points for users.

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because getPendingPoints() will not practically be used till point farming has ended. The higher precision adopted is by design