This repository has been archived by the owner on May 26, 2023. It is now read-only.
Lambda - Comptroller.withdrawRewards: totalFrozen subtracted two times from totalStaked #64
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Lambda
medium
Comptroller.withdrawRewards: totalFrozen subtracted two times from totalStaked
Summary
In
Comptroller.withdrawRewards,userManagerState.totalFrozenis subtracted two times fromtotalStaked, leading to a wrong inflation index or even a broken system because the calculation underflows.Vulnerability Detail
_getUserManagerStatecalculates thetotalStakedlike this:totalStakedis therefore already set tototalStaked - totalFrozen. However, inwithdrawRewards, the following calculation is performed:totalFrozenis therefore subtracted fromtotalStakedagain, meaning we have:Impact
When
userManagerState.totalFrozen()is sufficiently large, this can lead to an underflow, meaning thatwithdrawRewards(and thereforeUserManager.stake,UserManager.unstake, andUserManager.withdrawRewards) can never be executed, which bricks the system. But even if it does not underflow, the following update ofgInflationIndexwill use a wrong value.Code Snippet
https://github.com/sherlock-audit/2022-10-union-finance/blob/main/union-v2-contracts/contracts/token/Comptroller.sol#L260
Tool used
Manual Review
Recommendation
Do not subtract
totalFrozena second time.duplicate of #26
The text was updated successfully, but these errors were encountered: