Wrong formula in calculating full reward
Summary
Formula to calculate reward in _calculateFullPeriodReward() function is wrong, user will receive more token than they should
Vulnerability Details
Mechanism of the reward is from payoutStart_, when interval_ time is passed, decreaseAmount_ is reduced from initialAmount_.
In function _calculateFullPeriodReward(), initialReward_ is calculated as reward that passed before
// START calculate initial reward when period start
uint256 timePassedBefore_ = startTime_ - payoutStart_;
uint256 intervalsPassedBefore_ = _divideCeil(timePassedBefore_, interval_);
uint256 decreaseRewardAmount_ = intervalsPassedBefore_ * decreaseAmount_;
if (decreaseRewardAmount_ >= initialAmount_) {
return 0;
}
uint256 initialReward_ = initialAmount_ - decreaseRewardAmount_;
// END
And after each intervals passed, the reward is reduced for that intervals part:
uint256 ip_ = ((endTime_ - payoutStart_ - intervalsPassedBefore_ * interval_) / interval_);
if (ip_ == 0) {
return 0;
}
return initialReward_ * ip_ - (decreaseAmount_ * (ip_ * (ip_ - 1))) / 2; // <---
But the return value is not correct, it does not counting for decreaseAmount_ for first full intervals passed, which lead to the rest is wrong.
Impact
Formula is wrong, user will get more reward than they should
Tools Used
Manual review
Recommendations
Formula should be updated to:
- return initialReward_ * ip_ - (decreaseAmount_ * (ip_ * (ip_ - 1))) / 2;
+ return initialReward_ * ip_ - (decreaseAmount_ * (ip_ * (ip_ + 1))) / 2;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.