Missing multiplication in the logic
Summary
During the execution of getVaultAccumulatedValues, the protocol calculates the updated vault shares for a given market. However, if the market has multiple vaults, the calculation of WETH rewards is incorrect.
Vulnerability Details
Scenario
Assume there are two vaults, both delegated with an equal amount of 50.
The market distributes 2 WETH as rewards.
The current implementation incorrectly assigns 2 WETH to each vault, resulting in a total of 4 WETH, which exceeds the available rewards.
Root Cause
The existing calculation does not consider the vault's proportional share of the total market delegation.
As a result, each vault receives the full WETH reward, rather than a fraction based on its share.
Impact
Over-distribution of WETH rewards, leading to an incorrect reward allocation.
Potential financial inconsistencies, as the protocol attempts to distribute more rewards than available.
Vulnerability to misallocation exploits, affecting fair distribution among vaults.
Tools Used
Manual review
Recommendations
Modify the reward calculation to ensure proportional distribution among multiple vaults:
Lead Judging Commences
`wethRewardPerVaultShare` is incremented by `receivedVaultWethReward` amount which is not divided by number of shares.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.