Closed sherlock-admin3 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because getPendingPoints() will not practically be used till point farming has ended. The higher precision adopted is by design
jah
high
wrong calculation on sophonFarming._pendingPoints
Summary
in the function _pendingPoints contract SophonFarming accPointsPerShare is calculated wrongly which will cause for point to not be calculated correctly
Vulnerability Detail
on line 361 contract SophonFarming.sol the accPointsPerShare is calculated with 1e18 which will result into a wrong point calculation unlike how user.rewardDebt and user.rewardSettled are calculated in the deposit function where in the _pendingPoints function pool.accPointsPerShare is multiplied with 1e18 and it will try to divide with 1e36 but still its wrong and also since the function updatePool pool.accPointsPerShare** is not calculated both function uses different calculations which lead to wrong point
Impact
wrong point calculation lead to wrong point of distribution
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L361
Tool used
Manual Review
Recommendation
don't multiply the accPointsPerShare with 1e18 on the _pendingPoints