Sparkn

CodeFox Inc.
DeFiFoundryProxy
15,000 USDC
View results
Submission Details
Severity: medium

The use of low decimal tokens may cause winners to lose their awards

Summary

Using low decimal tokens as awards can cause truncation in some instances

Vulnerability Details

There are tokens such as usdc and Gemini USD that have low decimals. USDC has 6 and GeminiUSD has only 2. The use of gemini usd as an award will cause a winner to not receive his award.
in the for loop, we see the logic below

uint256 winnersLength = winners.length; // cache length
for (uint256 i; i < winnersLength;) {
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
erc20.safeTransfer(winners[i], amount);
unchecked {
++i;

in the logic let us look at totalAmount * percentages[i] / BASIS_POINTS;

  1. let us assume the total amount given out is 500 geminiUSD and a winner has won 0.1% of the pot so 10 basis points.

  2. Now if we use the logic we get 500 x 10 = 5000/ BASIS_POINTS

  3. 5000/10000 will be 0.5

  4. the winner should be awarded 0.5 gemini usd but because solidity does not support this, it will round it down to 0 and the winner will not receive his 0.5 usd.

  5. although the amount is small this is still a loss of funds.

  6. this is a viable situation because let us say that codehawks wanted to use sparkn to distribute awards, in the most recent contest some winners were subject to only 0.04 USDC. the use of sparkn and the reward being geminiUSD will not be possible to send the winner their 0.04 GeminiUSD

Impact

Users will not receive their awards

Tools Used

manual review

Recommendations

recommend to maybe move award calculation off chain or implement logic that does not truncate the awards of the user.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.