This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
BTK - pow() function returns inconsistent values
#31
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
the
Excluded
|
1 comment(s) were left on this issue during the judging contest. Trumpero commented:
|
sherlock-admin
changed the title
pow() function returns inconsistent valuespow() function returns inconsistent values
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
BTK
medium
pow()function returns inconsistent valuesSummary
The
GPToke.previewPointsfunction calculates the points a user will earn by staking a specified amount for a given duration. It ensures the duration is within valid limits, then calculates points using a formula involving the staking duration and a multiplier. The function returns the earned points and the staking end time.The multiplier is calculated using
pow()as follow:Vulnerability Detail
The issue is that
PRBMathcontains a critical vulnerability in thepow()function, which can return inconsistent values. This vulnerability is of great importance to the Tokemak protocol, as the function is used in the computation of how many points a user should get.GPToke.previewPointsfunction is called in both:extend()_stakeRecently, another protocol has also experienced the same bug, and the creators of the PRBMath have acknowledged this situation:
Impact
PRBMath
pow()function can return inconsistent values.Code Snippet
Tool used
Manual Review
Recommendation
To mitigate this issue, please update the contracts to
0.8.19and upgrade thePRBMathto version V4 because these errors have been corrected(Link).The text was updated successfully, but these errors were encountered: