A potential division by zero vulnerability exists in the getBoostAmount
function.
The function calculates boost amounts using the following formula:
However, it lacks a check for zero before performing the division. If maxBoost
and/or maxLockingDuration
is set to zero, either externally through the setMaxBoost
and setMaxLockingDuration
function respectively or in future contract updates, the division will result in an error, potentially halting the contract's execution and leading to financial losses.
setMaxBoost:
Comment for setMaxBoost
:
Code for getBoostAmount
:
The comment suggests that a maxBoost
of 1 doubles the staker's balance, but it doesn't specify what happens when maxBoost
is 0.
The code simply multiplies _amount by maxBoost
and _lockingDuration
, and then divides by maxLockingDuration
.
If maxBoost
is 0, the entire calculation becomes 0, regardless of the other values.
setMaxLockingDuration
Same as setMaxBoost
. The comment doesn't explicitly state what happens when maxLockingDuration
is zero.
Thus using the value of maxLockingDuration
after running this function, might result in getBoostAmount
returning unexpected value.
POC (made using Foundry) :
If maxBoost
and/or maxLockingDuration
unexpectedly becomes 0, it could disrupt the protocol's reward calculations and distribution, leading to unexpected results and potential economic losses.
Manual Review, AI
Explicitly Handle Zero maxBoost, maxLockingDuration:
Add a check within getBoostAmount
to return 0 if getBoostAmount
is 0, clarifying the behavior.
The code first checks if either maxBoost
or maxLockingDuration
is equal to zero. If either condition is true, it immediately returns 0, explicitly indicating that no boost is applicable in these cases.
This approach makes the contract's behavior more transparent and predictable, even when these values are zero.
Prevent Zero maxBoost, maxLockingDuration:
Add a check within setMaxBoost, and setMaxLockingDuration to revert if _maxBoost
and _maxLockingDuration
is 0, ensuring it's never set to 0.
and
Clarify Documentation:
Update the comment to explicitly state the intended behavior when maxBoost
and maxLockingDuration
is 0.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.