Decimal Precision Issue in USDC rewards Calculation
Summary
The current implementation of the earnedUSDC and rewardPerTokenUSDC function incorrectly handles decimal precision for USDC, which uses 6 decimals. This results in inaccurate reward calculations and potential overpayments.
USDC Token Implementation: The USDC token adheres to a 6-decimal format, which is different from the 18-decimal format assumed in the contract's calculations.
Attack Path
User calls any method with the updateReward modifier to set the incorrect USDC reward amount.
Impact
Users may suffer financial loss/gain due to either overpayment of rewards in USDC.
The discrepancy between the results using 1e18 (604,800 USDC) and 1e16 (60,480 USDC) demonstrates a large impact on reward calculations. The contract must correct this to prevent inaccuracies and ensure fair distribution.
PoC
let's walk through calculations showing how using 1e18 versus 1e16 affects the reward distribution for USDC.
Total Balance of User: 1000 USDC
Reward Rate (per second): 1000
Time Elapsed: 1 week (604800 seconds)
Total Supply of Staked Tokens: 1,000,000 USDC
Scenario 1: Incorrect Precision (1e18)
Reward Per Token Calculation (rewardPerTokenUSDC):
Apologies for the miscalculation in the report. The correct value should obviously be 1e6 instead of 1e16. Let's just say that being sleep-deprived makes my brain mix things up. 😄
patronasxd
High
Decimal Precision Issue in USDC rewards Calculation
Summary
The current implementation of the
earnedUSDC
andrewardPerTokenUSDC
function incorrectly handles decimal precision for USDC, which uses 6 decimals. This results in inaccurate reward calculations and potential overpayments.Root Cause
in the View function earnedUSDC of
StakingRewardsV2.sol
, and rewardPerTokenUSDC ofStakingRewardsV2.sol
the reward calculation uses a precision factor of1e18
, which is suitable for ERC20 tokens with 18 decimal places. However, since USDC uses 6 decimal places, the precision factor should be1e16
to ensure accurate reward amounts.Internal pre-conditions
No response
External pre-conditions
Attack Path
updateReward
modifier to set the incorrect USDC reward amount.Impact
Users may suffer financial loss/gain due to either overpayment of rewards in USDC.
The discrepancy between the results using 1e18 (604,800 USDC) and 1e16 (60,480 USDC) demonstrates a large impact on reward calculations. The contract must correct this to prevent inaccuracies and ensure fair distribution.
PoC
let's walk through calculations showing how using 1e18 versus 1e16 affects the reward distribution for USDC.
Scenario 1: Incorrect Precision (1e18)
Reward Per Token Calculation (rewardPerTokenUSDC):
Substituting the values:
Earned USDC Calculation (earnedUSDC):
Substituting the values:
Result: 604,800 USDC, which is high and unrealistic.
Scenario 2: Correct Precision (1e16)
Reward Per Token Calculation (rewardPerTokenUSDC):
Substituting the values:
Earned USDC Calculation (earnedUSDC):
Substituting the values:
Result: 60,480 USDC, which is a more realistic value.
Summary
Using 1e18: The reward calculations are high (e.g., 604,800 USDC), indicating an error due to incorrect precision scaling.
Using 1e16: The reward calculations are reasonable and align with expected values (e.g., 60,480 USDC)
Mitigation
use 1e16 instead of 1e18 for
rewardPerTokenUSDC
andearnedUSDC