20,000 USDC
View results
Submission Details
Severity: low
Valid

Loss of Precision in Fee Calculation

Summary

The refinance function in the provided smart contract allows borrowers to refinance existing loans to new offers using a pool of funds. However, there is a potential issue related to loss of precision in the fee calculation, which may lead to incorrect fee values and financial discrepancies during the loan refinancing process.

Vulnerability Details

Within the refinance function, the vulnerability arises in the fee calculation step, where the borrower's fee is determined based on the difference between the new debt amount (debt) and the calculated amount to be paid (debtToPay). The code snippet in question is as follows:

uint256 fee = (borrowerFee * (debt - debtToPay)) / 10000;

The vulnerability stems from the possibility of an overflow or loss of precision when performing the intermediate calculation (borrowerFee * (debt - debtToPay)). If the intermediate result exceeds the maximum representable value for a uint256, the subsequent division by 10000 could produce an incorrect fee value.

Impact

The impact of this vulnerability is that borrowers may be charged incorrect or unexpected fees during the loan refinancing process, leading to financial losses or discrepancies between the borrower's expectation and the actual fee charged.

Tools Used

Manual

Recommendations

Use fixed-point arithmetic to handle the intermediate calculations. Fixed-point arithmetic involves representing fractional values with a fixed number of decimal places.

// Define the number of decimal places for fixed-point arithmetic
uint256 constant FIXED_DECIMALS = 10**18;
// ...
// Calculate the fee using fixed-point arithmetic
uint256 fee = (borrowerFee * (debt - debtToPay) * FIXED_DECIMALS) / 10000;
// Divide by FIXED_DECIMALS to get the correct fee value
fee /= FIXED_DECIMALS;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.