Starknet/Cairo Staking Math Vulnerability: Division Before Multiplication Bug Zeroes User Rewards

A critical integer arithmetic vulnerability has been identified and proven in a Cairo-based staking contract, exposing a design flaw that can completely erase user rewards. The bug, designated as Bug #5, is a classic "Division before Multiplication" error in the core reward calculation formula. The vulnerable code, `let reward_increase = (duration * rate) / supply * precision;`, performs integer division prematurely. If the product of `duration` and `rate` is less than the total `supply`, the intermediate division result truncates to zero. This zero is then multiplied by the `precision` factor, resulting in a final reward of zero for the user, regardless of the stake duration or the precision multiplier intended to preserve fractional amounts.

The vulnerability has been fully demonstrated with a concrete proof-of-concept (PoC) in the `staking_math_v2.cairo` research module. Unit tests, including `test_math_precision_loss`, confirm the formula returns zero under specific, realistic conditions involving a large token supply. A companion test, `test_how_it_should_be`, illustrates the necessary fix: reordering the operations to perform multiplication before the final division, thereby preserving mathematical precision.

This flaw represents a fundamental risk for any Starknet protocol implementing similar reward distribution logic. It is not a theoretical edge case but a provable logic error that leads to a total loss of function, directly impacting user funds and protocol integrity. The existence of a verified PoC elevates this from a potential warning to a demonstrated security failure that demands immediate scrutiny and remediation by developers auditing or deploying Cairo smart contracts for financial applications.