Last updated
Was this helpful?
Submitted on May 20th 2024 at 05:03:00 UTC by @Holterhus for
Report ID: #31478
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol
Impacts:
Theft of unclaimed royalties
The calculateBPT() function in FluxToken.sol (which is used when claiming FLUX for NFT holders) inflates the result by 10000x, as it doesn't divide by basis points.
bptMultiplier sets the ratio of FLUX that patron NFT holders receive. It is intended to set the value to 0.4% by setting it to 40 and dividing by BPS.
However, when BPT is calculated, we never divide by BPS:
This function is used when calculating the amount of FLUX that is claimable for NFT holders. The result is that this value will be inflated by 10000x, so 10000x more FLUX will be claimed than should be. This excess FLUX can be used for boosting bribe payments in an unfair manner (since the user should not have as much boosting ability as they receive).
FluxToken.sol
The following test can be added to FluxToken.t.sol. It should return 0.4% of amount, which would equal 40, but instead returns 400_000.
