sherlock-admin2
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because getPendingPoints() will not practically be used till point farming has ended. The higher precision adopted is by design
aslanbek
medium
_pendingPointsreturns more points than the user will actually receiveSummary
Internal function
_pendingPointsis used by multiple view functions to retrieve the amount of rewards the user received for staking. There points are supposed to represent amount of SOPH each user will receive.However,
_pendingPointsuses a slightly different formula for computing the rewards in comparison to state-changing functions, and will return a value slightly different than the "real" one.Vulnerability Detail
_pendingPoints adds
accPointsPerShare * 18andpointReward * 1e18 / lpSupply, and then divides the result by 1e36.other functions use
updatePool, which addsaccPointsPerShareandpointReward / lpSupply, and then divide the result by 1e18.Therefore, the former will have higher precision and return a slightly higher value.
Impact
View functions that return users' pending points will return a value higher than the actual one. As it is the only function that allows to retrieve users' accumulated rewards, and is going to be used for determining amount of SOPH to mint, it will result in slightly too many SOPH being minted.
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/05059e53755f24ae9e3a3bb2996de15df0289a6c/farming-contracts/contracts/farm/SophonFarming.sol#L361-L383
Tool used
Manual Review
Recommendation