stake.link

DeFiHardhatBridge

27,500 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Reward calculation error for ccipController

innertia

Summary

In this protocol, the distribution of rewards to users is based on effectiveBalances[user].
Before this value changes, updateRewards(user) is used to calculate the current rewards.
The calculation of rewards is outside the scope of this audit, but if rewards are calculated after effectiveBalances[user] has changed, it may result in more rewards than originally received, or vice versa.
Therefore, the processing of updateRewards(user) is important.
However, in this scope of audit, there is only one place where effectiveBalances[ccipController] changes but updateRewards(ccipController) is not performed.
Since effectiveBalances[ccipController] affects rewards to the secondary chain, errors in the calculation of these rewards have a large impact.
In other words, there are areas where updateRewards(ccipController) should be added to ensure accurate calculation of rewards.
(The general framework of the above has been confirmed with the sponsor.)

Vulnerability Details

The following is the relevant section.
effectiveBalances[ccipController] is being changed, but there is no updateRewards(ccipController).
This makes the calculation of rewards inaccurate.

function handleIncomingUpdate(uint256 _numNewRESDLTokens, int256 _totalRESDLSupplyChange)
    external
    onlyCCIPController
    returns (uint256)
{
    uint256 mintStartIndex;
    if (_numNewRESDLTokens != 0) {
        mintStartIndex = lastLockId + 1;
        lastLockId += _numNewRESDLTokens;
    }
    if (_totalRESDLSupplyChange > 0) {
        effectiveBalances[ccipController] += uint256(_totalRESDLSupplyChange);
        totalEffectiveBalance += uint256(_totalRESDLSupplyChange);
    } else if (_totalRESDLSupplyChange < 0) {
        effectiveBalances[ccipController] -= uint256(-1 * _totalRESDLSupplyChange);
        totalEffectiveBalance -= uint256(-1 * _totalRESDLSupplyChange);
    }
    emit IncomingUpdate(_numNewRESDLTokens, _totalRESDLSupplyChange, mintStartIndex);
    return mintStartIndex;
}

https://github.com/Cyfrin/2023-12-stake-link/blob/549b2b8c4a5b841686fceb9c311dca9ac58225df/contracts/core/sdlPool/SDLPoolPrimary.sol#L231-L253

Impact

Rewards to the secondary chain will be inaccurate.

Tools Used

Manual

Recommendations

add updateRewards(ccipController) to handleIncomingUpdate.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

incorrect rewards

Prize pool breakdown

Total prize

27,500 USDC

nSLOC

1,414

19 USDC / LOC

High Medium

25,000 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.