The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Precision loss/Rounding to Zero in distributeAssets()

lian886

Summary

The identified vulnerability is associated with the distributeAssets function in LiquidationPool.sol. In scenarios where the _positionStake amount is low or low values are used for percentages, the function may encounter a precision issue. This arises due to the division of stakeTotal to calculate the distribution amount for each holder. The precision error can lead to incorrect token distribution, affecting the fairness and accuracy of asset distributions to holders.

Vulnerability Details

The vulnerability stems from the calculation of amount within the distribution loop. The formula uint256 _portion = asset.amount * _positionStake / stakeTotal involves a division operation that could result in loss of precision(Rounding to Zero) when dealing with small asset.amount values or low percentage _positionStake / stakeTotal . This imprecision can lead to token amounts being rounded down to zero, resulting in unfair or incomplete asset distributions for holders.
Proof Of Concept:

//simply simulate total stake 50000 TST, one position stake 2 TST

stakeTotal = 50000 * 10 ** 18;

_positionStake = 2 * 10 ** 18;

//simply simulate the distribution asset token is 0.01 wbtc with dec of 10**6

//_portion = 0.01 *10**6 *2 * 10 ** 18 / 50000 * 10 ** 18 = 0

uint256 _portion = asset.amount * _positionStake / stakeTotal;

The same issue is in distributeFees , mint and burn function:
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L188C1-L188C89

https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L161C1-L161C122
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/SmartVaultV3.sol#L170C1-L170C122

Impact

The Rounding to Zero vulnerability has the potential to undermine the intended fairness and accuracy of the token distribution process. In scenarios where the token balance is very small or percentages are low, the distribution algorithm could yield incorrect or negligible rewards to holders. This impacts the trust and credibility of the protocol, potentially leading to user dissatisfaction and decreased participation.

Tools Used

Manual Review

Recommendations

Consider instituting a predefined minimum threshold for the percentage amount used in the token distribution calculation. This approach ensures that the calculated distribution amount maintains a reasonable and equitable value, even when dealing with low percentages.

Additionally, an alternative strategy involves adopting a rounding up equation that consistently rounds the distribution amount upward to the nearest integer value.

By incorporating either of these methodologies, the precision vulnerability associated with small values and percentages can be effectively mitigated, resulting in more accurate and reliable token distribution outcomes.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

precision

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.