31486 - [SC - High] getClaimableFlux miscalculates claimable FLUX f...

Submitted on May 20th 2024 at 09:53:00 UTC by @Holterhus for Boost | Alchemix

Report ID: #31486

Report type: Smart Contract

Report severity: High

Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/FluxToken.sol

Impacts:

• Permanent freezing of unclaimed royalties

Description

Brief/Intro

When NFT holders claim FLUX, the base claimableFlux amount is calculated based on veALCX values, but the formula is implemented incorrectly which leads to the wrong results.

Vulnerability Details

claimableFlux is intended to calculate the amount of FLUX that would be earned in 1 year, assuming max lock was enabled.

This should be calculated as follows:

amount * fluxPerveALCX * maxLockMultiplier * numEpochsInOneYear

(This is because, each epoch, it would earn amount * fluxPerVeALCX * maxLockMultiplier.)

This can be expressed in Solidity as:

Instead, it is calculated as follows:

There are a number of issues with this calculation (ignoring that bpt is used instead of _amount, as that is covered in a separate submission):

1. We multiply and divide by veMax, rather than dividing by the length of time of one epoch in order to get the number of epochs in MAXTIME.

2. We do (fluxPerVe + BPS) / BPS instead of simply fluxPerVe / BPS, which gives us a 150% payout per Ve rather than the 50% that is intended.

3. We divide by fluxMul, which does not appear to be relevant.

Impact Details

This will result in the wrong amount of FLUX being calculated when NFT holders claim FLUX. This leads to a permanent loss of value to the claimers of the FLUX.

References

FluxToken.sol

Proof of Concept

The following test can be added to FluxToken.t.sol. It should show that different values arise for the calculated claimable FLUX amount and the actual amount that is accrued for a year.