Weight calculation uses mulDown instead of mulUp in dynamic weight adjustments
Summary
calculateBlockNormalisedWeight function uses mulDown for positive weight changes, leading to systematic undervaluation of weight increases.
Vulnerability Details
Here's the affected code:
Here's the current implementation:
When weights are increasing (positive multiplier), the contract uses mulDown which rounds down the calculation. This creates a systematic undervaluation of weight increases. Here's what happens:
Real-world example:
-
Starting Position:
Token weight: 30% (0.3e18)
Weight should increase by 1% per second
Time passed: 5 seconds
Expected increase: 5% (0.05e18)
-
Current Calculation (using mulDown):
Multiplier calculation: mulDown(0.01e18 * 5)
Results in: 0.0499...e18
Final weight: 0.3499...e18 (34.99%)
-
Correct Calculation (using mulUp):
Multiplier calculation: mulUp(0.01e18 * 5)
Results in: 0.05e18
Final weight: 0.35e18 (35%)
Impact
Each weight update loses a small amount of precision These small losses accumulate over multiple updates. This precision loss, while small in individual instances, compounds over time and can lead to meaningful deviations in pool behavior from its intended design. Token weights become consistently undervalued. And this creates minor arbitrage opportunities.
Recommendations
The fix involves using mulUp for positive weight changes, ensuring full and accurate weight increases
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.