Divide before multiply in FjordPoints.sol
Summary
The FjordPoints contract contains a mathematical vulnerability in the distributePoints function, where division is performed before multiplication, which may lead to precision loss. This vulnerability occurs when computing variables such as weeksPending, pointsPerToken, totalPoints, and lastDistribution.
Vulnerability Details
Location
src/FjordPoints.sol#251
Kopier kode
src/FjordPoints.sol#252-253
Kopier kode
src/FjordPoints.sol#254
Kopier kode
src/FjordPoints.sol#255
When performing integer division before multiplication, Solidity truncates the division result, potentially leading to precision loss. For instance, the weeksPending variable might result in 0 if the calculated duration between block.timestamp and lastDistribution is less than EPOCH_DURATION, causing subsequent calculations to incorrectly evaluate to 0.
For example:
If block.timestamp - lastDistribution is less than EPOCH_DURATION, weeksPending will be zero, causing further calculations that depend on weeksPending to also be zero.
Impact
Precision Loss: The calculated number of weeks pending, total points distributed, and points per token can be significantly lower than expected due to truncated results.
Incorrect Distribution: Users may not receive the correct number of points for their staked tokens, leading to unfair point distribution.
Potential Exploitation: An attacker may manipulate the timings to minimize
weeksPendingand thus reduce points distribution
Tools Used
Manual code review
Recommendations
Rearrange the arithmetic operations to perform multiplication before division to retain precision.
Lead Judging Commences
Division before multiplication
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.