search

sherlock-audit / 2024-05-sophon-judging

7 stars 6 forks source link

Ragnark_323 - Manipulation of Block Multiplier via Low Gas Fees #213

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 4 months ago

Ragnark_323

high

Manipulation of Block Multiplier via Low Gas Fees

Summary

The SophonFarming contract's reward calculation mechanism can be manipulated by users through the use of low gas fees, leading to delayed transactions and an inflated block multiplier. This results in disproportionate rewards for the user, disrupting the protocol's reward distribution .

Vulnerability Detail

The SophonFarming contract calculates rewards for users based on the blockMultiplier, which is determined by the difference between the current block number and the last reward block. Users can manipulate this calculation by setting very low gas fees, causing their transactions to be delayed and increasing the blockMultiplier. This results in disproportionately high rewards for the user, which can negatively impact the protocol's reward distribution mechanism. The issue lies in the _getBlockMultiplier function and its usage in the updatePool function:


function _getBlockMultiplier(uint256 _from, uint256 _to) internal view returns (uint256) {
    uint256 _endBlock = endBlock;
    if (_endBlock != 0) {
        _to = Math.min(_to, _endBlock);
    }
    if (_to > _from) {
        return (_to - _from) * 1e18;
    } else {
        return 0;
    }
}

Example: 1.A user sets a very low gas fee for their transaction.

2.The transaction is delayed for several blocks due to the low gas fee.

3.When the transaction is finally processed, the blockMultiplier is calculated based on the difference between the current block and the last reward block.

4.The delay causes the block difference to span several blocks, inflating the blockMultiplier.

5.This inflated blockMultiplier results in the user receiving significantly more rewards than intended.

*considering this issue as high because this issue is present in multiple functions and maybe all the users starts exploiting this vul due to very low complexity

Impact

Users can receive more rewards than intended by delaying their transactions, leading to an unfair distribution of rewards. The manipulation undermines the integrity of the reward distribution mechanism, potentially leading to a loss of trust in the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/05059e53755f24ae9e3a3bb2996de15df0289a6c/farming-contracts/contracts/farm/SophonFarming.sol#L339C5-L349C6

Tool used

Manual Review

Recommendation

By capping the blockMultiplier, the protocol can prevent users from exploiting low gas fees to gain excessive rewards, ensuring a fair and balanced reward distribution mechanism

sherlock-admin3 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because of insensible POC