Shambolic Pink Jay
Medium
Currency token is used to add to, or subtract from, the users token amount. userTokens stores the amount of requested tokens that the user has, but instead of updating with the new amount of tokens after the update, it uses the currencyAmount (not the token amount) to add / subtract from that balance, causing wrong accounting.
In updateParticipation a user can increase or reduce the amount of requested tokens they will have. The price difference of these tokens is calculated by comparing the new amount of tokens to the previous amount of tokens -> and their respective value in currency. The difference in currency is then transferred to the user or transferred from the user .
It is important to note that these are 2 different tokens, and the amount of tokens does not equal the amount of currency, as the amount of currency is the price of the tokens.
The price difference between the new amount of tokens from the previous amount of tokens happens here: The same method is used for whether a user increasing and decreasing their token amount.
The problem exists here where the userTokens -> which is strictly used for token amounts and not currency amounts, is updated with the price difference of the token amounts, instead of being updated with the new token amount.
** for decreasing token amount **
** for addition token amount **
This leads to an accounting error, because the amount used for the update is the currency price difference of the token amounts. So essentially, userTokens -> which is supposed to represent the amount of requested tokens for a user will have the price difference of the token amounts (in currency) added or subtracted from their previous token amount. This can be drastically different from what it should be, which is their new token amount.
The function then populates the users new ParticipationRequest struct with their new token amount, a very different value that will be stored in userTokens.
None.
None.
None, this is a flaw which leads to innaccurate accounting.
Unexpected actions and functionality can result from this, as the internal accounting for a user will be wrong and depending on the price of tokens, can be drastically wrong, leading to unintended functionality for the protocol and user.
To illustrate how userTokens is only used for storing the token amount and never any amounts in currency, i will show where the valeu is updated and used in several different functions, and its reliance on that amount strictly representing the requested token amount.
- In
participate-userTokenamount is retrieved, and the amount of tokens the user is requesting is added to the variable - not the currency amount.
https://github.com/sherlock-audit/2025-02-rova/blob/main/rova-contracts/src/Launch.sol#L243-L244 https://github.com/sherlock-audit/2025-02-rova/blob/main/rova-contracts/src/Launch.sol#L251-L252 https://github.com/sherlock-audit/2025-02-rova/blob/main/rova-contracts/src/Launch.sol#L292-L293
- In
cancelParticipation-userTokenamount is retrieved and then the amount of tokens in the cancellation is subtracted from that value, not the currency amount of the cancelled tokens.
The price difference of the tokens is not used in cancelParticipation for the updating of userTokens - only the token amount to be removed is used. This maintains userTokens only representing the actual token amount for a user.
The currency price difference should never be used for userTokens, it relies on ONLY representing the token amount.
The method used in cancelParticipation to update userTokens should be followed and used and maintain consistency in the accounting throughout the protocol.
- Calculate the difference of
tokenamounts and then depending on whether the user is updating to increase their token amount or decrease their token amount, add or subtract the difference to their current token value inuserTokens