search

sherlock-audit / 2024-06-velocimeter-judging

11 stars 7 forks source link

Mansa11 - Incorrect assigning of lock duration for an LpDiscount #668

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 4 months ago

Mansa11

Medium

Incorrect assigning of lock duration for an LpDiscount

Summary

A vulnerability has been identified in the getLockDurationForLpDiscount function where the logic incorrectly assigns the lock duration for an LP discount of zero. This can result in incorrect duration calculations and potential issues in the contract's operation.

Referenced Links

https://github.com/sherlock-audit/2024-06-velocimeter/blob/main/v4-contracts/contracts/OptionTokenV4.sol#L340-L345

Vulnerability Detail

The two variables below are used to lock the LP for certain periods. uint256 public lockDurationForMaxLpDiscount = FULL_LOCK; // 52 weeks // 31,449,600 uint256 public lockDurationForMinLpDiscount = 7 * 86400; // 1 week // 604,800

The function getLockDurationForLpDiscount is a function designed to calculate the lock duration based on a provided discount, If the discount is zero, the function is meant to assign lockDurationForMinLpDiscount which is the minimum Lp discount. However, it is currently being assigned lockDurationForMaxLpDiscount. This miss alignment can lead to great impacts during calculations of the lock duration period which could affect the protocol in it entirety.

It is not right lock an LP with 0 discount for such a long period of time up to a year.

Impact

This can disrupt the expected behavior of the contract, potentially causing user dissatisfaction and trust issues. Users might be subjected to longer lock periods than anticipated, leading to a lack of liquidity and potential financial losses.

Code Snippet

function getLockDurationForLpDiscount(
    uint256 _discount
) public view returns (uint256 duration) {
    (int256 slope, int256 intercept) = getSlopeInterceptForLpDiscount();
    duration = _discount == 0 ? lockDurationForMaxLpDiscount : SignedMath.abs(slope * int256(_discount) + intercept); 
    // @audit if _discount == 0, lockDurationForMinLpDiscount should be used, which is 1 week and not lockDurationForMaxLpDiscount
}

Tool Used

Manual Review

Recommendation

Modify the conditional check to implement the proper lock duration.

function getLockDurationForLpDiscount(
    uint256 _discount
) public view returns (uint256 duration) {
    (int256 slope, int256 intercept) = getSlopeInterceptForLpDiscount();
-    duration = _discount == 0 ? lockDurationForMaxLpDiscount : SignedMath.abs(slope * int256(_discount) + intercept); 
+    duration = _discount == 0 ? lockDurationForMinLpDiscount : SignedMath.abs(slope * int256(_discount) + intercept); 
    // @audit if _discount == 0, lockDurationForMinLpDiscount should be used, which is 1 week and not lockDurationForMaxLpDiscount
}
duration = _discount == 0 ? lockDurationForMinLpDiscount : SignedMath.abs(slope * int256(_discount) + intercept);
nevillehuang commented 3 months ago

Invalid, lockDurationForMaxLpDiscount is correct, discount 0 means that users pays nothing