search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

zhuying - Some rewards will be struck in contract because of rounding down #103

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 2 months ago

zhuying

Medium

Some rewards will be struck in contract because of rounding down

Summary

Some rewards will be struck in contract because of rounding down.

Vulnerability Detail

Accumulate reward is via claiming or emission rate. The calculation of accumulatedRewardPerVaultShare is calculated by rounding down.

        state.accumulatedRewardPerVaultShare +=
            ((tokensClaimed * uint256(Constants.INTERNAL_TOKEN_PRECISION)) / totalVaultSharesBefore).toUint128();
            additionalIncentiveAccumulatedPerVaultShare =
                (timeSinceLastAccumulation
                    * uint256(Constants.INTERNAL_TOKEN_PRECISION)
                    * state.emissionRatePerYear)
                / (Constants.YEAR * totalVaultSharesBefore);

So there will be some rewards struck in contract.

Impact

Some rewards will be struck in contract.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/common/VaultRewarderLib.sol#L383-L387 https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/common/VaultRewarderLib.sol#L340-L342

Tool used

manual

Recommendation

Add function to let owner move the excess rewards to protocol's vault. Or use openzeppelin library.

sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Low/QA at most