Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing scaling factor in recordKeyPurchase? #156

Open
code423n4 opened this issue Nov 24, 2021 · 4 comments
Open

Missing scaling factor in recordKeyPurchase? #156

code423n4 opened this issue Nov 24, 2021 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working help wanted Extra attention is needed

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

The Unlock.recordKeyPurchase function computes the maxTokens as:

maxTokens = IMintableERC20(udt).balanceOf(address(this)) * valueInETH / (2 + 2 * valueInETH / grossNetworkProduct) / grossNetworkProduct;

Note that grossNetworkProduct was already increased by valueInETH in the code before.
Meaning, the (2 + 2 * valueInETH / grossNetworkProduct) part of the computation will almost always be 2 as usually grossNetworkProduct > 2 * valueInETH, and thus the 2 * valueInETH / grossNetworkProduct is zero by integer division.

Impact

The maxTokens curve might not be computed as intended and lead to being able to receive more token rewards than intended.

Recommended Mitigation Steps

The comment "we distribute tokens using asymptotic curve between 0 and 0.5" should be more clear to indicate how exactly the curve looks like.
It could be that a floating-point number was desired instead of the integer division in 2 * valueInETH / grossNetworkProduct. In that case, consider adding a scaling factor to this term and divide by it at the end of the computation again.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 24, 2021
code423n4 added a commit that referenced this issue Nov 24, 2021
@code423n4
cmichel issue #156
0942708
@julien51
Copy link
Collaborator

I am not fully sure I understand what the problem is here?

@julien51 julien51 added the help wanted Extra attention is needed label Dec 11, 2021
@0xleastwood
Copy link
Collaborator

I think the warden is raising an issue where 2 * valueInEth / grossNetworkProduct will more than likely truncate and return 0. I think this is a valid finding.

@julien51
Copy link
Collaborator

Hum, we did some tests and could not reproduce here.

@0xleastwood
Copy link
Collaborator

I'm not sure how 2 * valueInETH / grossNetworkProduct does not always lead to some truncation. grossNetworkProduct is equal to valueInETH in the first call but always greater than valueInETH in any subsequent calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julien51 @0xleastwood @code423n4