sherlock-admin3
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because of insufficient proof
Closed sherlock-admin4 closed 5 months ago
sherlock-admin3
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because of insufficient proof
bareli
medium
wrong implementation of "getOptimizedUserInfo"
Summary
different implementation of userInfos and userInfo.
Vulnerability Detail
As we can see here we are calculating userInfos as we are going through _users.length and poolInfo.length loops. we are calculating userInfos[i][j][k] as our i is _userlength ,j is poolinfo_length and k is (0,4). as we can see that userInfo[i][j] follow i is poolInfo.length and j is _userlength. we can see that there is difference between them ,this is not a wrong implementation but a confusion one.
function getOptimizedUserInfo(address[] memory _users) external view returns (uint256[4][][] memory userInfos) { userInfos = new uint256[4][]; uint256 len = poolInfo.length; for(uint256 i = 0; i < _users.length;) { address _user = _users[i]; userInfos[i] = new uint256[4]; for(uint256 pid = 0; pid < len;) { UserInfo memory uinfo = userInfo[pid][_user]; userInfos[i][pid][0] = uinfo.amount; userInfos[i][pid][1] = uinfo.boostAmount; userInfos[i][pid][2] = uinfo.depositAmount; userInfos[i][pid][3] = _pendingPoints(pid, _user); unchecked { ++pid; } } unchecked { i++; } } }
Impact
different implementation behaviour between userinfo and userinfos.
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L898
Tool used
Manual Review
Recommendation
function getOptimizedUserInfo(address[] memory _users) external view returns (uint256[4][][] memory userInfos) { userInfos = new uint256[4][]; uint256 len = _users.length; for(uint256 i = 0; i <poolInfo.length ;) {