Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Imprecise calculations #243

Closed
code423n4 opened this issue Feb 9, 2022 · 3 comments
Closed

Imprecise calculations #243

code423n4 opened this issue Feb 9, 2022 · 3 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-02-concur/blob/main/contracts/MasterChef.sol#L150-L153

Vulnerability details

Impact

Even if the contract holds as few tokens as a million (with 18 decimals), and the pool holds one millionth of the totalAllocPoint, the division in line #152 may cause too large rounding errors (more than 1% of the value).

Even more severe imprecisions can be observed.

Tools Used

Manual analysis

Recommended Mitigation Steps

At first multiply all values, then preceed to division. This will provide exact results, rounded down. This will also allow for eliminating _concurShareMultiplier variable. It is better to store commulative rewards than an integer with arbitrary precision, which may not be enough.

multiplier is the number of blocks, we can assume it fits within 24 bits - this number of blocks hasn't been yet produced on mainnet.

concurPerBlock is proposed to be equal to 1e14, which fits within 48 bits

pool.allocPoint can be set within 32 bits to provide enough opportunity to weight tokens.

So that the result fits within 104 bits out of 256 available - there is no risk of overflow, even on adding to cummulative rewards.

Of course, the same applies to the calculations within pendingConcur.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Feb 9, 2022
code423n4 added a commit that referenced this issue Feb 9, 2022
@code423n4
Czar102 issue #243
2b8cefe
@r2moon r2moon added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Feb 15, 2022
@r2moon
Copy link
Collaborator

r2moon commented Feb 15, 2022

no issues here.

@GalloDaSballo
Copy link
Collaborator

I actually agree with the Warden here as there's rounding errors caused by the fact that a division is done on line 120.
Delaying the division would net higher precision.

While the rounding error is there and it can lead to a loss of value, I believe Low Severity is more appropriate as ultimately we're talking about dust amounts and the POC proposed doesn't seem to make an argument for massive values

@JeeberC4 JeeberC4 added duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Apr 21, 2022
@JeeberC4
Copy link

Adding to warden's QA Report #241

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@GalloDaSballo @r2moon @code423n4 @JeeberC4