Unsafe casting in RewardsDistributorV2 leads to underflow when calculating rewards
Summary
Solidity does not revert when casting a negative number to uint. Instead, it underflows to a large number. In the RewardDistributor contract, the balance of a token at specific time can lead to silent overflow due to unsafe casting
Vulnerability Detail
As shown below, the code does not check if the value returned for balance_of is negative, (considering that the user could have locked for less than 50 weeks and he is claiming his rewards for the first time after 50 weeks) since the point he lock his lp.
Hence, the code is suppose to return zero when the calculated balance is a negative number however, it underflows silently to a large
number.
This would lead to incorrect reward distribution if for VM users and third-party protocols depend on this function because it may lead to
the claim function reverting for some users if there is not enough balance to claim
some users may claim more than they are entitled to leading to a loss of funds for some user
Impact
Loss of yield for users as there is a possibility of some users earning more yield than others
Audinarey
High
Unsafe casting in
RewardsDistributorV2leads to underflow when calculating rewardsSummary
Solidity does not revert when casting a negative number to uint. Instead, it underflows to a large number. In the RewardDistributor contract, the balance of a token at specific time can lead to silent overflow due to unsafe casting
Vulnerability Detail
As shown below, the code does not check if the value returned for
balance_ofis negative, (considering that the user could have locked for less than 50 weeks and he is claiming his rewards for the first time after 50 weeks) since the point he lock his lp.Hence, the code is suppose to return zero when the calculated balance is a negative number however, it underflows silently to a large number. This would lead to incorrect reward distribution if for VM users and third-party protocols depend on this function because it may lead to
Impact
Loss of yield for users as there is a possibility of some users earning more yield than others
Code Snippet
https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/RewardsDistributorV2.sol#L206-L208 https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/RewardsDistributorV2.sol#L263-L266
Tool used
Manual Review
Recommendation
Modify the
_claim(...)and_claimable(...)functions to check for possible negative values that may overflow when claiming rewards.Duplicate of #649