31380 - [SC - High] FluxTokencalculateBPT uses wrong algorithm caus...

Submitted on May 17th 2024 at 19:31:09 UTC by @yttriumzz for Boost | Alchemix

Report ID: #31380

Report type: Smart Contract

Report severity: High

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol

Impacts:

• Theft of unclaimed yield

Description

Brief/Intro

The FluxToken contract allows users to mint some $FLUX at once using AlchemechNFT or AlEthNFT. The number of mint is calculated based on the tokenData of the NFT. However, FluxToken.calculateBPT does not divide by BPS resulting in the number of mint being 10000 times larger than expected.

Vulnerability Details

Please look at the following code. The getClaimableFlux function is used to calculate the number of mint. It calls the calculateBPT function.

///// https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/FluxToken.sol#L215-L216
    function getClaimableFlux(uint256 _amount, address _nft) public view returns (uint256 claimableFlux) {
        uint256 bpt = calculateBPT(_amount);

Let's look at the calculateBPT function, which multiplies _amount by bptMultiplier.

According to the comment of the bptMultiplier variable, it should represent 0.4%. So, multiplied by bptMultiplier should be divided by BPS (10000)

Note: The two divisions by BPS in the getClaimableFlux function correspond to the following variables, which have nothing to do with bptMultiplier.

• fluxPerVe: 5000 represents 50%

• alchemechMultiplier: 5 represents 0.05%

Suggested fix

Impact Details

Users can get 10,000 times more $FLUX than expected

References

None

Proof of concept

The PoC patch

Run the PoC

The log

The tokenData of the NFT is 0.24999186958252062, and the mint $FLUX is 7.499756087469342.