The use of low decimal tokens may cause winners to lose their awards
Summary
Using low decimal tokens as awards can cause truncation in some instances
Vulnerability Details
There are tokens such as usdc and Gemini USD that have low decimals. USDC has 6 and GeminiUSD has only 2. The use of gemini usd as an award will cause a winner to not receive his award.
in the for loop, we see the logic below
in the logic let us look at totalAmount * percentages[i] / BASIS_POINTS;
let us assume the total amount given out is 500 geminiUSD and a winner has won 0.1% of the pot so 10 basis points.
Now if we use the logic we get 500 x 10 = 5000/ BASIS_POINTS
5000/10000 will be 0.5
the winner should be awarded 0.5 gemini usd but because solidity does not support this, it will round it down to 0 and the winner will not receive his 0.5 usd.
although the amount is small this is still a loss of funds.
this is a viable situation because let us say that codehawks wanted to use sparkn to distribute awards, in the most recent contest some winners were subject to only 0.04 USDC. the use of sparkn and the reward being geminiUSD will not be possible to send the winner their 0.04 GeminiUSD
Impact
Users will not receive their awards
Tools Used
manual review
Recommendations
recommend to maybe move award calculation off chain or implement logic that does not truncate the awards of the user.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.