search

sherlock-audit / 2024-05-sophon-judging

7 stars 6 forks source link

FonDevs - potential temporary denial of service when adding the first pool with `_allocPoint == 0` #215

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

FonDevs

medium

potential temporary denial of service when adding the first pool with _allocPoint == 0

Summary

when creating the first pools by calling function add(uint256 _allocPoint, address _lpToken, string memory _description, bool _withUpdate) public onlyOwner returns (uint256), if the _allocPoint is set to 0, all future calls to function updatePool(uint256 _pid) public will fail.

Vulnerability Detail

when creating new pools the _allocPoint is added to the totalAllocPoint, if the first pool is created with _allocPoint = 0, the totalAllocPoint still remains 0. in the function updatePool the pointReward is calculated as uint256 pointReward = blockMultiplier * _pointsPerBlock * _allocPoint / totalAllocPoint; This raises a division by zero exception.

Impact

all calls to function updatePool revert

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L153

Tool used

Manual Review

Recommendation

prevent creating pools with _allocPoint == 0.

sherlock-admin4 commented 4 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because set() will still allow pool's allocation point if pool.allocPoint == 0