Incorrect Total Allocation Calculation in StabilityPool::getTotalAllocation()
Summary
The getTotalAllocation() function is intended to return the total allocation across all managers, as stated in its NatSpec comment. However, the function instead returns the totalAllocation variable, which includes both manager allocations and market allocations. This leads to incorrect calculations and misrepresentation of the actual total allocation for managers.
Vulnerability Details
The totalAllocation variable is incremented in both addManager() and addMarket(), which means that getTotalAllocation() returns the combined total allocation of managers and markets, instead of only managers.
The NatSpec comment specifies that getTotalAllocation() should return the total allocation across all managers, but it currently includes allocations assigned to markets as well.
Impact
getTotalAllocation() is used to determine allocation limits or fund distribution, managers will not get the full portion of rewards due to the dilution by markets allocation.
Other smart contracts or external integrations relying on getTotalAllocation() will receive incorrect total allocation values.
Tools Used
Manual Review
Recommendations
Separate Manager and Market Allocations
Introduce a new variable totalManagerAllocation to track only manager allocations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.