stake.link

Summary

The SDLPoolCCIPControllerPrimary contract function distributeRewards implements a reward distribution mechanism across multiple chains. The concern raised is related to potential precision issues in the reward calculation due to the use of division, which may lead to dust accumulation. The last rewarder in the distribution process appears to receive more rewards than others due to this mechanism.

Vulnerability Details

The primary vulnerability lies in the following code snippet:

The division operation in the formula may result in dust accumulation, and this dust is given to the last rewarder, potentially causing an uneven distribution of rewards.

Impact

The impact of this issue is that the last rewarder in the distribution process may receive more rewards than expected due to precision loss from dust accumulation. While the dust amounts are likely to be small, this could still be a concern for fairness in reward distribution.

POC

Let's assume this Scenario:

• Given Data:

  • Total tokenBalance: 110

  • Expected reward per destination: 27.5

  • Total RESDL supply (totalRESDL): 4

• Calculation:

  • Ideal reward per destination: 110 / 4 = 27.5

• Issue:

  • Solidity's handling of arithmetic operations with unsigned integers truncates the fractional part.

  • Result: Each destination receives the truncated value of 27 instead of the expected 27.5.

• Impact:

  • The remaining fractional rewards (0.5 each) accumulate as dust.

  • The last rewarder receives the accumulated dust, resulting in a higher total reward. ( tokenBalance - totalDistributed )

• Proof of Concept:

  • Total tokenBalance: 110

  • Calculated reward per destination (truncated): 27

  • Accumulated dust (truncated fractional parts): 0.5 + 0.5 + 0.5 = 1.5

  • Last rewarder's reward: 27 + 1.5 = 28.5

• Conclusion:

  • The Proof of Concept demonstrates that the last rewarder receives more rewards (28.5) than others due to the truncation of fractional parts in the reward calculation, leading to dust accumulation.

Tools Used

Manual code review.

Recommendations

Implement a rounding mechanism in the reward calculation to ensure that fractional parts are rounded up or down appropriately. This will prevent truncation-related precision issues, promote a fair distribution of rewards, and mitigate the accumulation of dust in the last rewarder's allocation.