Closed sherlock-admin4 closed 1 month ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because it would require the admin to make a mistake by inputting a false boolean
The protocol team fixed this issue in the following PRs/commits: https://github.com/sophon-org/farming-contracts/commit/6d117397d57a39a865cee0621cabf9154fb6fd71
The Lead Senior Watson signed off on the fix.
JrNet
medium
Design Issue: add() and set() relay on owner to update all pools can cause reward (points) loss.
Summary
_withUpdate
essentially allowing owners to skip the updation ofpool.accPointsPerShare
value but increase totalAllocPoints. However this is a tough design decision to choose whetheradd
/set
functions from bricking (as if we remove_withUpdate
and on every call we do massUpdatePool, when a new pool gets added, it should iterate thoughpoolInfo[]
which can get quite larger and cause gas errors. Also once a pool added it can't be removed. It only allows pool by to reset by updatingpool.allocPoints
. On pools getting added it grows and brick the system)If owner compromised or malicious this can go bad on rewards distribution system. As totalAllocPoints increases the pool.accPointsPerShare decreases and users face loss of rewards in scale.
Refer issue IDX-003 in LuckyLion_Farm_Audit_Report
Vulnerability Detail
State Variable
totalAllocPoint
is used to determine the portion that each pool would get from the total reward and it is one of the main consideration in the rewards calculation.When a pool gets added with
_withUpdate=false
it only increases the totalAllocPoint valuesThis shows it is crucial to set removing _withUpdate (
_withUpdate=true
) irrespective of owner decision to prevent reward (points) loss to user.Impact
Loss of rewards (points)
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L153-L216
Tool used
Manual Review
Recommendation
Remove the
_withUpdate
in theadd()
andset()
functions and always call themassUpdatePools()
function before updatingtotalAllocPoint
variable and design the protocol to remove or avoid gas errors to mitigate the risks.