[H-01] Incorrect calculation of steakPoints in mian.js
Summary
The code contains an issue where the result of the ethers.formatEther(amount) function, which returns a string, is directly multiplied by a numeric constant PRECISION. This causes incorrect calculations since multiplying a string by a number in JavaScript is not valid.
Vulnerability Details
In the steaking.on(STAKED, async (_, amount, onBehalfOf) => { ... }) event handler, the following line attempts to multiply the string returned by ethers.formatEther(amount) by the numeric constant PRECISION:
Since ethers.formatEther(amount) returns a string, direct multiplication with PRECISION (which is defined as 1e3) does not yield the expected numeric result, leading to an incorrect calculation of stake points.
Impact
The bug leads to incorrect stake points being calculated and stored in the database, potentially affecting the accuracy of user rewards and any related functionalities.
Tools Used
Manual Review
Recommendations
To resolve this issue, convert the string returned by ethers.formatEther(amount) to a number before performing the multiplication. This can be done using parseFloat or Number, as shown below:
This ensures that the multiplication operation is performed correctly, resulting in the accurate calculation of stake points.
Lead Judging Commences
Precision
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.