The getPercentPenalty
function in the UnripeFacet.sol
contract incorrectly calculates the penalty percentage for C.UNRIPE_BEAN
by using LibUnripe.getPenalizedUnderlying
intended to return the amount of redeemable tokens, not a percentage. This results in the function returning incorrect values that do not represent the intended penalty percentage.
Let's look at this function:
Here is LibUnripe.getPenalizedUnderlying
function used for C.UNRIPE_BEAN
:
Suppose the total supply of C.UNRIPE_BEAN
is 1,000,000 tokens and the current recapitalization allows for 500,000 tokens to be redeemed. If we use LibUnripe.DECIMALS
, which equals 1,000,000 as an input parameter representing 'amount' in this context to calculate penalties based on amounts instead of percentages. The returned value might suggest a 50% rate when it actually represents 500,000 redeemable beans - misleading users about actual penalties involved when converting their Unripened Beans into Ripe Beans.
This issue leads to incorrect penalty calculations, potentially causing users to be misinformed about the penalties associated with converting their unripe tokens into ripe tokens. This can affect the protocol at large
Manual review
Ensure that the penalty calculation for C.UNRIPE_BEAN correctly computes a percentage value, and add a default return statement to handle cases where unripeToken does not match any expected values.
This correction ensures that the function returns a penalty percentage for both C.UNRIPE_BEAN
and C.UNRIPE_LP
based on the square of the recapitalized percentage, and it handles other tokens by returning 0, which is a safe default.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.