search

sherlock-audit / 2024-05-sophon-judging

1 stars 1 forks source link

jah - wrong calculation on sophonFarming._pendingPoints #208

Closed sherlock-admin3 closed 1 month ago

sherlock-admin3 commented 1 month ago

jah

high

wrong calculation on sophonFarming._pendingPoints

Summary

in the function _pendingPoints contract SophonFarming accPointsPerShare is calculated wrongly which will cause for point to not be calculated correctly

Vulnerability Detail

on line 361 contract SophonFarming.sol the accPointsPerShare is calculated with 1e18 which will result into a wrong point calculation unlike how user.rewardDebt and user.rewardSettled are calculated in the deposit function where in the _pendingPoints function pool.accPointsPerShare is multiplied with 1e18 and it will try to divide with 1e36 but still its wrong and also since the function updatePool pool.accPointsPerShare** is not calculated both function uses different calculations which lead to wrong point

Impact

wrong point calculation lead to wrong point of distribution

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L361

Tool used

Manual Review

Recommendation

don't multiply the accPointsPerShare with 1e18 on the _pendingPoints

sherlock-admin2 commented 1 month ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because getPendingPoints() will not practically be used till point farming has ended. The higher precision adopted is by design