The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Stakers rewards will be inaccurate due to precision loss

tumelo_crypto

Summary

Rewards will be inaccurate due to division before multiplication in calculations.

Vulnerability Details

When calculating costInEuros, many multiplications and divisions are done without order:

Liquidationpool.sol distributeAssets()
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;

This is problematic as it will result in the value of costInEuros being rounded down, which could affect the value of _portion:

if (costInEuros > _position.EUROs) {
_portion = _portion * _position.EUROs / costInEuros;
costInEuros = _position.EUROs;
}

Since _portion is the value used to allocate rewards this will result in inaccurate allocations and stakers receiving bigger allocations which means the protocol is losing money everytime the distributeAssets() function is called.

Impact

Inaccurate allocation of rewards to stakers and loss of money to the protocol.

Tools Used

Manual review.

Recommendations

Ensure multiplication is done first before any sort of division:

uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd)
* _hundredPC / uint256(priceEurUsd) / _collateralRate;
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

precision

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.