stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Reducing maxBoost may result in users unable to update their lock

peanuts

Summary

Vulnerability Details

A boost of 1x multiplier will increase the staker's balance by 100%.

/**

* @notice sets the maximum boost multiplier

* @dev a multiplier of 1 would mean that a staker's balance is doubled if they lock for the max

* locking duration

* @param _maxBoost max boost multiplier

function setMaxBoost(uint64 _maxBoost) external onlyOwner {

maxBoost = _maxBoost;

emit SetMaxBoost(_maxBoost);

}

In test files, boost are set to 8x multiplier.

If the protocol decides to reduce boost from 8x to 1x, calculations in effectiveBalances and totalEffectiveBalance may underflow.

In _storeUpdatedLock() of SDLPoolPrimary.sol, the duration of the lock can be updated by the user. If the user wants to lock with a longer duration, but did not realize that the boost multiplier has been decreased, the diffTotalAmount will be a negative number.

If the boost reduction is extremely large, effectiveBalances and totalEffectiveBalance will underflow, resulting in users being unable to lengthen their existing lock duration. They also won't be able to transfer their locks because transferring will mean that onTokenTransfer() is called which calls _storeUpdatedLock().

function _storeUpdatedLock(

> int256 diffTotalAmount = int256(lock.amount + lock.boostAmount) -

int256(locks[_lockId].amount + locks[_lockId].boostAmount);

if (diffTotalAmount > 0) {

effectiveBalances[_owner] += uint256(diffTotalAmount);

totalEffectiveBalance += uint256(diffTotalAmount);

> } else if (diffTotalAmount < 0) {

effectiveBalances[_owner] -= uint256(-1 * diffTotalAmount);

totalEffectiveBalance -= uint256(-1 * diffTotalAmount);

}

locks[_lockId] = lock;

Impact

Users will not be able to update their lock duration or transfer their locks if multiplier is reduced.

Tools Used

Manual Review

Recommendations

Ensure that a reduction in multiplier will not affect the current protocol functionality. Best is to make sure that the multiplier cannot be decreased at all.

Updates

Lead Judging Commences

0kage Lead Judge

over 1 year ago

0kage Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

negative boostdiff

negative boost diff caused by lowering max boost or increasing max duration can trigger unlocks

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.