Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Precision Loss in Reward Calculation

soloking

Summary

The withdrawableRewards function in the RewardsPool contract suffers from precision loss when calculating rewards for users with very small stakes. This results in users with minimal stakes not receiving any rewards, even when rewards have been distributed to the pool.

Vulnerability Details

The test case demonstrates that when a user stakes a very small amount and a small reward is distributed, the calculation of withdrawable rewards results in a value that rounds down to zero due to integer division in Solidity. This is evidenced by the passing test:

it('should demonstrate precision loss in withdrawableRewards', async () => {

const { accounts, controller, token1, adrs, signers, stakingToken } = await loadFixture(deployFixture);

// Approve a small amount for staking

await stakingToken.connect(signers[3]).approve(adrs.controller, 1);

// Stake a very small amount

await controller.connect(signers[3]).stake(1);

// Distribute a small reward

await token1.transferAndCall(adrs.rewardsPool1, 100, '0x00');

const withdrawableRewards = await controller.withdrawableRewards(accounts[3]);

// Check if the withdrawable rewards are rounded down to zero due to precision loss

assert.equal(withdrawableRewards[0].toString(), '0', 'Precision loss not demonstrated');

});

The test passes, confirming that withdrawableRewards returns 0 for the user with a minimal stake, even after rewards have been distributed to the pool.

Impact

Unfair Reward Distribution: Users with very small stakes may never receive rewards, even when they're entitled to them based on their proportional stake in the pool.
Discouragement of Small Stakers: This issue could discourage users from making small stakes, potentially reducing overall participation in the staking system and affecting the protocol's decentralization.
Accumulated Lost Rewards: Over time, this could lead to a non-trivial amount of rewards being effectively "lost" due to rounding errors, stuck in the contract and never distributed to any users.
Trust Issues: If users notice they're not receiving expected rewards for small stakes, it could lead to a loss of trust in the protocol.

Tools Used

Manual , Hardhat

Recommendations

To address this vulnerability, consider implementing one or more of the following solutions:

Increase Calculation Precision
Implement a Reward Accumulator
Set a Minimum Reward Threshold
Use Fixed-Point Arithmetic Libraries

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.