Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Jeiwan - Increased reward token inflation due to double counting of totalFrozen #119

Closed
sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Closed

Jeiwan - Increased reward token inflation due to double counting of totalFrozen #119

sherlock-admin opened this issue Nov 4, 2022 · 1 comment
Labels
Disagree With (non-)Duplication Duplicate Medium Sponsor Confirmed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 4, 2022
edited by Evert0x
Loading

Jeiwan

high

Increased reward token inflation due to double counting of totalFrozen

Summary

Increased reward token inflation due to double counting of totalFrozen

Vulnerability Detail

In Union Protocol, stakers receive reward in UNION token. The token is emitted at a certain rate set by the governance and is sent to the Comptroller contract. Stakers can call the withdrawRewards function of Comptroller to get their share of UNION. Staker's share is determined based on:

  1. individual staker's activity;
  2. global state of a UserManager contract.

The latter includes: the total amount of staked tokens and the total amount of frozen tokens. As you can see, the _getUserManagerState function subtracts totalFrozen from totalStaked to get the effective staked amount:

function _getUserManagerState(IUserManager userManager) internal view returns (UserManagerState memory) {
    UserManagerState memory userManagerState;

    userManagerState.totalFrozen = userManager.totalFrozen();
    userManagerState.totalStaked = userManager.totalStaked() - userManagerState.totalFrozen;
    if (userManagerState.totalStaked < 1e18) {
        userManagerState.totalStaked = 1e18;
    }

    return userManagerState;
}

Later in the withdrawRewards function, totalFrozen is subtracted once again before updating the global inflation index:

// update the global states
uint256 totalStaked_ = userManagerState.totalStaked - userManagerState.totalFrozen;
gInflationIndex = _getInflationIndexNew(totalStaked_, block.number - gLastUpdatedBlock);

Impact

Since totalFrozen is subtracted twice, the effective amount of staked tokens will be lower than in reality. As a result, inflation per block will be higher (effectiveTotalStaked will be further away from halfDecayPoint) and the division by effectiveAmount will result in a bigger reward per effective staked amount.

Code Snippet

See Vulnerability Detail.

Tool used

Manual Review

Recommendation

Short term, subtract totalFrozen amount only once. Long term, notice that subtracting total frozen amount of tokens at least once always increases the inflation index because the total staked amounts becomes lower (and further away from the decay point)–this means that stakers might be incentivized to borrow from themselves (via intermediary accounts) and overdue debts to reduce the effective staked amount.

duplicate of #26
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Disagree With (non-)Duplication Duplicate Medium Sponsor Confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kingjacob @Evert0x @sherlock-admin