Submission Details
Severity:
Calculation of `BaseGauge::earned` has wrong value
Vulnerability Details
The BaseGauge::earned#L585 is using the wrong value for calculation.
/**
* @notice Calculates earned rewards for account
* @param account Address to calculate earnings for
* @return Amount of rewards earned
*/
function earned(address account) public view returns (uint256) {
return (getUserWeight(account) *
(getRewardPerToken() - userStates[account].rewardPerTokenPaid) / 1e18 👈👈
) + userStates[account].rewards;
}
Impact
When calculating earned rewards it should use BIPS not the 1e18
Tools Used
Manual
Recommendations
Use the BIPS value
/**
* @notice Calculates earned rewards for account
* @param account Address to calculate earnings for
* @return Amount of rewards earned
*/
function earned(address account) public view returns (uint256) {
return (getUserWeight(account) *
- (getRewardPerToken() - userStates[account].rewardPerTokenPaid) / 1e18
+ (getRewardPerToken() - userStates[account].rewardPerTokenPaid) / 10000
) + userStates[account].rewards;
}
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
BaseGauge reward calculations divide by 1e18 despite using 1e4 precision weights, causing all user weights to round down to zero and preventing reward distribution
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.