Logic errors arise from mistakes in the program’s control flow or conditional statements.
These errors usually occur when the code’s behavior deviates from its intended purpose, not because of a flaw in the underlying arithmetic but due to a conceptual mistake in implementing rules or boundaries.
Code
// SPDX-License-Identifier: MITpragmasolidity ^0.8.0;contract VulnerableMarket {uint256constant BLOCK_EPOCH =100000;mapping(uint256=>uint256) public cantoPerBlock; // Reward rates by epochstructMarketInfo {uint256 lastRewardBlock;uint256 accCantoPerShare; }mapping(address=> MarketInfo) public marketInfo;constructor() { cantoPerBlock[0] =100; // Reward for epoch 0-99999 cantoPerBlock[BLOCK_EPOCH] =0; // No reward for epoch 100000+ }functionupdate_market(address_market) public { MarketInfo storage market = marketInfo[_market];if (block.number > market.lastRewardBlock) {uint256 i = market.lastRewardBlock;while (i < block.number) {uint256 epoch = (i / BLOCK_EPOCH) * BLOCK_EPOCH;// Incorrect: should be `epoch + BLOCK_EPOCH` // Adding BLOCK_EPOCH to i only creates a fixed offset from i. It moves i forward by 100,000 blocks from whatever its current position is. However, this new position could land anywhere within an epoch and will not necessarily align with the start of the next epoch boundary
uint256 nextEpoch = i + BLOCK_EPOCH; uint256 blockDelta =min(nextEpoch, block.number) - i;// Incorrect reward calculation across epochs market.accCantoPerShare += blockDelta * cantoPerBlock[epoch]; i += blockDelta; } market.lastRewardBlock = block.number; } }functionmin(uint256 a,uint256 b) internalpurereturns (uint256) {return a < b ? a : b; }}
