The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Tokens Stuck in Contract Due to Precision Loss

favelanky

Summary

The distributeFees function in the LiquidationPool contract may result in tokens becoming stuck in the contract due to precision loss. If the calculated amount of EUROs to be distributed is less than the total tstTotal, users may not receive the correct proportion of tokens, resulting in some tokens being trapped in the contract indefinitely.

Vulnerability Details

The vulnerability arises from precision loss during the calculation of distributed EUROs for holders and pending stakes. If the product of _amount and a user's TST is less than the total tstTotal, users may not receive the correct amount of tokens, leading to some tokens being stuck in the contract.

For example, if three users each have 100 tokens and the received amount is 20 tokens, each user will receive 20 * 100 / 300 = 6 tokens. Due to precision loss, 2 tokens will be lost. This issue can escalate with higher values.

function distributeFees(uint256 _amount) external onlyManager {

uint256 tstTotal = getTstTotal();

if (tstTotal > 0) {

IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _amount);

for (uint256 i = 0; i < holders.length; i++) {

address _holder = holders[i];

positions[_holder].EUROs += (_amount * positions[_holder].TST) / tstTotal;

}

for (uint256 i = 0; i < pendingStakes.length; i++) {

pendingStakes[i].EUROs += (_amount * pendingStakes[i].TST) / tstTotal;

}

Impact

Some tokens become stuck in the contract due to users not receiving the correct proportion of tokens during distribution.

Tools Used

Manual review

Recommendations

It is recommended to implement a function to withdraw these tokens from the contract or distribute them in a way that avoids precision loss.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

precision-distributeFees

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.