DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Ditto Shares skimmed off Users

0xffchain

Summary

User account is skimmed off shares on closing of bid.

Vulnerability Details

uint88 shares = eth * (timeTillMatch / 1 days);

POC

User bid is matched at Epoch 1695556800

The first method is the method as used in the protocol, and the second method is as what is meant to be, then we calculate the difference from the first and second to see how much the user would have gotten if calculated properly.

Method one

timeTillMatch / 1 days

1695556800 / 86400

19624 * 1e18 = 1.9624e+22

Method two

timeTillMatch * 1e18

1695556800 * 1e18

1.6955568e+27 / 1 days = 1.96245e+22

Difference

Method two - Method one

1.96245e+22 - 1.9624e+22 = 500000000000917500;

Difference scaled down

500000000000917500 / 1e18

diff = 0.5000000000009175

Impact

User shares is wrongly reduced at closing of match.

Tools Used

Manual

Recommendations

uint shares = (timeTillMatch * eth) / 1 days ;

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-139

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.