'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Kinetic Disclosed Report
Audit report Kinetic Audit ContestReward Distribution Precision Loss Could Lead to Zero Rewards
Target
https://github.com/kinetic-market/public-money-market-contracts
Vulnerability Details
Description
Attackers can exploit the precision loss in reward calculations by frequently calling the updateRewardSupplyIndex and updateRewardBorrowIndex functions, causing the rewards to be effectively zero. In particular, when attackers repeatedly call these functions, the downwards rounding may result in no increase in the rewardSupplyState.index or rewardBorrowState.index. This issue is more prominent in chains with low gas costs and fast block times.
Here’s the relevant part of the code:
function updateRewardSupplyIndex(uint8 rewardType, address cToken) internal {
require(rewardType < rewardTokens.length, "IR");
RewardMarketState storage supplyState = rewardSupplyState[rewardType][cToken];
uint supplySpeed = supplyRewardSpeeds[rewardType][cToken];
uint blockTimestamp = getBlockTimestamp();
uint deltaTimestamps = sub_(blockTimestamp, uint(supplyState.timestamp));
if (deltaTimestamps > 0 && supplySpeed > 0) {
uint supplyTokens = CToken(cToken).totalSupply();
uint rewardsAccrued = mul_(deltaTimestamps, supplySpeed);
Double memory ratio = supplyTokens > 0 ? fraction(rewardsAccrued, supplyTokens) : Double({mantissa: 0});
Double memory index = add_(Double({mantissa: supplyState.index}), ratio);
rewardSupplyState[rewardType][cToken] = RewardMarketState({
index: safe224(index.mantissa, "224"),
timestamp: safe32(blockTimestamp, "32")
});
} else if (deltaTimestamps > 0) {
supplyState.timestamp = safe32(blockTimestamp, "32");
}
}
In this function, the reward index might not increase as expected because of rounding, causing a situation where no rewards are distributed. The problem is exacerbated in environments where transactions are cheap, and blocks are mined quickly, allowing an attacker to repeatedly call the function and manipulate the rewards.
Recommendations
Implement additional precision or checks to ensure that the reward index is updated correctly even when small values are involved.
Validation steps
https://github.com/kinetic-market/public-money-market-contracts/blob/d46f5223344ff6502349549ad858588e496483df/contracts/Comptroller.sol#L932-L950
https://github.com/kinetic-market/public-money-market-contracts/blob/d46f5223344ff6502349549ad858588e496483df/contracts/Comptroller.sol#L957-L975
Comments on this report are hidden 
Details 
Participants (3) 
