User loose up to 50% t ofhe balance if he deposit _boostAmount via _deposit function.
Summary
User could loose up to 50% of his balance due to incorrect calculation in the _deposit function
Vulnerability Detail
The boostAmount it is an amount that will be counted in user.amount but will not possible to be withdrawn. Users are incentivised to put(stake) money as a boostAmount because it has multiplier on the amount staked (2e18), thus increase the amount staked which will result in more airdrop rewards.
If am an ordinary user, i provide the 1000e18 tokens via the _deposit function, where 500e18 _depositAmount and other 500e18 is _boostAmount. In this case the _deposit function will calculate my function as follows
It is the first issue, it will incorrectly calculate the _depositAmount.
_depositAmount = _depositAmount - _boostAmount;
After that _boostAmount will multiply by 2e18 and result in == 1000e18
Eventually, the user.amount = _depositAmount + _boostAmount which result in 1000e18
It means, that the user has no _depositedAmount so he can't increaseBoost on his balance and his user.amount is 1000e18, while in theory he SHOUD BE ABLE to increase his boost balance by 500e18 at least. Let's see
If this user would be aware enough , he would not set any _boostAmount in the _deposit function and deposit simply 1000e18, and his user.amount would be 1000e18 (which will include only _depositAmount). After that, the user could call the increaseBoost function, where he could increase by maxAdditionalBoost which is his _depositedBalance equal to the 1000e18.
Eventually, the user.amount calculated via
ArsenLupin
high
User loose up to 50% t ofhe balance if he deposit _boostAmount via _deposit function.
Summary
User could loose up to 50% of his balance due to incorrect calculation in the _deposit function
Vulnerability Detail
The boostAmount it is an amount that will be counted in user.amount but will not possible to be withdrawn. Users are incentivised to put(stake) money as a boostAmount because it has multiplier on the amount staked (2e18), thus increase the amount staked which will result in more airdrop rewards.
If am an ordinary user, i provide the 1000e18 tokens via the _deposit function, where 500e18 _depositAmount and other 500e18 is _boostAmount. In this case the _deposit function will calculate my function as follows
After that _boostAmount will multiply by 2e18 and result in == 1000e18 Eventually, the user.amount = _depositAmount + _boostAmount which result in 1000e18 It means, that the user has no _depositedAmount so he can't increaseBoost on his balance and his user.amount is 1000e18, while in theory he SHOUD BE ABLE to increase his boost balance by 500e18 at least. Let's see
If this user would be aware enough , he would not set any _boostAmount in the _deposit function and deposit simply 1000e18, and his user.amount would be 1000e18 (which will include only _depositAmount). After that, the user could call the increaseBoost function, where he could increase by maxAdditionalBoost which is his _depositedBalance equal to the 1000e18. Eventually, the user.amount calculated via
And the user then receive the correct user.amount! His overall balance would be 2000e18.
Impact
The user loose the balance if we input _boostAmount in the _deposit function
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L600-L601
Tool used
Manual Review
Recommendation
Adjust the calculation, run the test and make sure that users doesn't loose the balance compare to two options of increasing balance.