Precision loss in `Distributor._distribute()` can cause supporters to receive zero rewards
Summary
Precision loss can result in supporters receiving zero rewards.
Vulnerability Details
The calculation on line 146, uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;, results in precision loss, so amount will be zero if totalAmount * percentages[i] < BASIS_POINTS. If this happens to a supporter, they will not receive their reward, and their reward will be sent to the STADIUM_ADDRESS instead.
PoC example:
Funding from sponsors results in
totalAmountof a certain token equaling 9999.Some supporter's reward percentage is equal to one basis point, so their
percentages[i]is equal to1.BASIS_POINTSis a constant equal to10000, so this supporter's rewardamountis calculated as9999 * 1 / 10000, which gets rounded down to zero.
The result is that the supporter does not receive their reward for this token.
Impact
Supporters may receive zero rewards.
Tools Used
Manual Review
Recommendations
Ensure that the totalAmount for any token is greater than or equal to the value of BASIS_POINTS. If this is the case then supporters with nonzero award allocation will always receive rewards, because the smallest possible nonzero value of percentages[i] is 1.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.