Users May Receive Excessive Points Due to Incorrect Calculation When `pointsPerToken` Decreases
Summary
See Below
Vulnerability Details
In the updatePendingPoints modifier of the FjordPoints contract, if pointsPerToken is less than lastPointsPerToken, the calculation for owed will result in a negative value. This occurs because Solidity’s unsigned integers cannot represent negative numbers, leading to an overflow. Consequently, the add operation in the updatePendingPoints modifier will incorrectly increase userInfo.pendingPoints by an excessively large amount. Here’s the relevant code snippet:
pointsPerToken.sub(userInfo.lastPointsPerToken)will underflow and yield a large positive number ifpointsPerTokenis less thanlastPointsPerToken.As a result, the owed amount becomes excessively high, causing an incorrect update to
userInfo.pendingPoints.
Impact
This issue can lead to users receiving an inflated amount of points, as pendingPoints could become excessively large. This undermines the accuracy of points distribution and could potentially be exploited to gain more points than intended.
Tools Used
Manual
Recommendations
Add a check to ensure pointsPerToken does not decrease relative to lastPointsPerToken. If a decrease is detected, the function should revert to prevent negative values from impacting the calculation.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.