Summary

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/39e33b2f6b3890573bb1affc41a7e520277ceb2c/src/market-making/leaves/Distribution.sol#L93

The contract calculates and distributes value changes for actors based on their shares and the valuePerShare. However, there is a potential risk that an actor's value change may not be correctly accumulated or updated, leading to a loss of value over time. This could occur if actor shares are updated in a way that does not properly account for previous value changes, or if the function calls that update the actor's value change are improperly executed.

Vulnerability Details

_updateLastValuePerShare(Data storage self, Actor storage actor, UD60x18 newActorShares):

This function updates the actor's lastValuePerShare and calculates the actor's value change based on their current and previous shares. If the function is not called properly after each update to the actor's shares, the actor's lastValuePerShare may become outdated or incorrectly stored, which would lead to an inaccurate calculation of their value change.

accumulateActor(Data storage self, bytes32 actorId):

This function accumulates the actor’s value by calling _updateLastValuePerShare, which calculates the difference in value since the last update. If this function is not executed correctly, the actor’s value change could be lost or inaccurately updated. This could happen if the actor's shares are updated without properly updating the lastValuePerShare first.

setActorShares(Data storage self, bytes32 actorId, UD60x18 newActorShares):

This function updates the actor's shares and calls _updateLastValuePerShare to update the actor’s value. However, if the actor's shares are updated multiple times without properly accumulating their value change first, the previous value changes may be lost, leading to an incorrect calculation of the actor’s new value.

Root Cause

Improper Value Accumulation: The function _updateLastValuePerShare is designed to calculate and store the actor’s previous value per share, but if the actor's shares are updated without properly accumulating the value change, the previous value change could be lost. This can occur if the actor’s shares are updated before the value change is properly calculated and accumulated.

Lack of Frequent Updates: If the function accumulateActor is not frequently called or if actor shares are modified outside the intended flow, the accumulated value change might not be updated regularly, leading to an accumulation error where the actor's value change is not properly adjusted.

Incorrect Calculation in setActorShares: The actor’s shares are updated in setActorShares, and this function also updates the actor's value per share using _updateLastValuePerShare. However, if the new shares are set incorrectly or the value change is not recalculated in accordance with the share change, it could lead to the loss of previously calculated value changes for the actor.

Impact

Loss of Value for Actors: Actors may not receive the correct amount of value when shares are updated, resulting in an imbalance in the distribution.

Inaccurate Calculations: The actors' share of the total value may be miscalculated if their value change is not properly updated, leading to incorrect payouts or rewards.

Tools Used

Manual review

Recommendations

Ensure Proper Value Change Accumulation: Ensure that actor value changes are calculated and accumulated each time the actor’s shares are updated. This should be done before any updates to the actor’s shares are made, so that all changes are properly captured.

Update Actor’s lastValuePerShare After Share Changes: Whenever actor shares are modified (via setActorShares), it’s important to first calculate and store the actor’s previous value per share and ensure the accumulated value change is not lost. Ensure that _updateLastValuePerShare is executed every time actor shares are updated.

Regularly Call accumulateActor: To avoid losing accumulated value, ensure that accumulateActor is called regularly to track the actor’s value changes in real-time. This will help maintain the correct distribution of value for each actor.