Unsafe Fee Calculation
Summary
The fee calculation function risks a loss of precision by dividing before multiplying.
Vulnerability Details
The getCalculatedFee function in both the ThunderLoan and ThunderLoanUpgraded contract performs a multiplication on the result of a division.
The temporary local variable valueOfBorrowedToken stores an intermediate calculation that involves a division operation. This value is then multiplied by the s_flashLoanFee before being divded by s_feePrecision again.
Impact
The calculated fee could end up being less than the intended 0.3% especially if the dividend is smaller than the divisor
Any time the amount * getPriceInWeth(address(token)) is less than the fee precision (which is 1e18), the getCalculatedFee function will return 0 because solidity performs integer division which truncates decimals by rounding down.
Even if the dividend is larger than the divisor, unnecessary truncation could still occur that would result in undercharging fees which would harm the liquidity providers
Tools Used
Slither
Recommendations
Change the getCalculatedFee function so that the amount is multiplied by getPriceInWeth(address(token))) and the flash loan fee before dividing by fee precision
Lead Judging Commences
precision loss valueOfBorrowedToken
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.