Skip to content
This repository has been archived by the owner on Jan 19, 2025. It is now read-only.

Kow - GetAllReputersOutput: If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction #72

Closed
sherlock-admin3 opened this issue Jul 19, 2024 · 2 comments
Closed

Kow - GetAllReputersOutput: If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction #72

sherlock-admin3 opened this issue Jul 19, 2024 · 2 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 19, 2024
edited by sherlock-admin4
Loading

Kow

Medium

GetAllReputersOutput: If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction

Summary

If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction.

Vulnerability Detail

https://github.com/sherlock-audit/2024-06-allora/blob/4e1bc73db32873476f8b0a88945815d3978d931c/allora-chain/x/emissions/module/rewards/rewards_internal.go#L546-L574

		if listenedStakeFraction.Lt(minStakeFraction) {
			for l := range coefficients {
				coeffDiff, err := coefficients[l].Sub(oldCoefficients[l])
				if err != nil {
					return nil, nil, err
				}
				...
				if stakedFracDiff.IsZero() {
					i = gradientDescentMaxIters
				} else {
					coeffDiffTimesListenedDiff, err := coeffDiff.Mul(listenedDiff)
					if err != nil {
						return nil, nil, err
					}
					coefDiffTimesListenedDiffOverStakedFracDiff, err := coeffDiffTimesListenedDiff.Quo(stakedFracDiff)
					if err != nil {
						return nil, nil, err
					}
					coefficients[l], err = oldCoefficients[l].Add(coefDiffTimesListenedDiffOverStakedFracDiff)
					if err != nil {
						return nil, nil, err
					}

In the whitepaper under equation 34, it is mentioned that whenever the fraction of the stake listened to falls below a minimum, the differential is interpolated so that the fraction is equal to the minimum. The corresponding logic is in the above snippet. The issue is coeffDiff calculates coefficients[i] - oldCoefficients[i], but at this point coefficients always contains the same values as oldCoefficients (since coefficients is copied into oldCoefficients at the start of the outer loop and neither is changed up to this point). Consequently, coeffDiff will always be 0 for all coefficients and coefficients will not change.

Impact

Fraction of stake listened to will not be corrected to the minimum if below the minimum, such that the adjusted stake(s) calculated will not be as intended resulting in incorrect distribution of rewards.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/4e1bc73db32873476f8b0a88945815d3978d931c/allora-chain/x/emissions/module/rewards/rewards_internal.go#L546-L574

Tool used

Manual Review

Recommendation

Calculate coeffDiff = newCoefficients[i] - oldCoefficients[i] instead.

Duplicate of #93
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin3
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

coeffDiff is always zero

@sherlock-admin3 sherlock-admin3 added the Sponsor Confirmed The sponsor acknowledged this issue is valid label Aug 8, 2024
@sherlock-admin4 sherlock-admin4 changed the title Narrow Arctic Spider - GetAllReputersOutput: If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction Kow - GetAllReputersOutput: If listenedStakeFraction < minStakeFraction, the differential will not be properly interpolated to ensure listenedStakeFraction = minStakeFraction Aug 9, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Aug 9, 2024
@sherlock-admin2
Copy link

The protocol team fixed this issue in the following PRs/commits:
allora-network/allora-chain#516

@sherlock-admin3 sherlock-admin3 added the Will Fix The sponsor confirmed this issue will be fixed label Aug 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4