Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

BASIS_POINTS is impresise

WhiteRose

Summary

BASIS_POINTS is hardcoded to be 10000 but under some conditions, it will not work correctly.

Vulnerability Details

Having the BASIS_POINTS hardcoded restricts the accuracy for some coins.

For example, in the following operation:
uint256 amount = totalAmount * percentages[i] / BASIS_POINTS;
If, totalAmount * percentages[i] < BASIS_POINTS, the amount to be distributed will be 0.

Even if the amount is larger like for example

totalAmount = 10

percentages[0] = 1010

The operations is:

amount = 10 * 1010 / 10000

amount = 1010 /1000 = 1

Solidity truncates decimals, allowing the distribution to be printed.

As the protocol makes use of stablecoin, there is the case of Gemini USD
It only has 2 decimal places.
https://etherscan.io/token/0x056Fd409E1d7A124BD7017459dFEa2F387b6d5Cd?a=0x5f65f7b609678448494De4C87521CdF6cEf1e932#readContract

Impact

The distribution of prizes will not be correct, the fee collected in some cases will not be 5%.

Tools Used

Manual code review
Remix IDE

Recommendations

Verify that the amounts and percentages do not incur printing before sending the prizes.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.