misleading comment in the calculateTimeWeightedBoost function
Summary :-
The BoostCalculator library contains a misleading comment in the calculateTimeWeightedBoost function, which could cause confusion for developers reviewing or maintaining the code. The comment incorrectly describes the calculation of the boosted amount, potentially leading to misinterpretations about how the boost multiplier is applied.
Vulnerability Details :-
The comment states:
````` Calculate boosted amount: amount * (boost / 10000)```
However, the actual Solidity operation performed is:
boostedAmount = (amount * boostBasisPoints) / 10000;
The issue arises because boost / 10000 (as implied by the comment) would result in zero when using Solidity’s integer division for small values, leading to incorrect calculations. In reality, the calculation first multiplies amount * boostBasisPoints, then divides by 10000, which avoids unintended truncation.
Impact :-
Potential for Incorrect Refactoring: If future developers attempt to optimize or modify the formula based on the comment, they might introduce unintended bugs or precision issues.
Misinterpretation in Audits: Security auditors or external reviewers might raise concerns about incorrect calculations when the actual logic is sound.
Tools Used :-
Manual code review
Recommendations :-
Update the Comment for Clarity: Modify the comment to correctly describe the calculation as follows:
// Calculate boosted amount: (amount * boostBasisPoints) / 10000
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.