Submission Details
Severity:
Division before multiplication incurs precision loss
Summary
Division before multiplication was done on line 219 - 223 of the LiquidationPool.sol contract.
Vulnerability Details
In the distributeAssets(...) function of the LiquidationPool.sol contract, the costInEuros was calculated by doing division before multiplication. Division before multiplication incurs precision loss.
File: LiquidationPool.sol
function distributeAssets(ILiquidationPoolManager.Asset[] memory _assets, uint256 _collateralRate, uint256 _hundredPC) external payable {
consolidatePendingStakes();//@audit no check for updatedAt
(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();
uint256 stakeTotal = getStakeTotal();//@audit no check for sequencer
uint256 burnEuros;
uint256 nativePurchased;
for (uint256 j = 0; j < holders.length; j++) {
Position memory _position = positions[holders[j]];
uint256 _positionStake = stake(_position);
if (_positionStake > 0) {
for (uint256 i = 0; i < _assets.length; i++) {
ILiquidationPoolManager.Asset memory asset = _assets[i];
if (asset.amount > 0) {
(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
@> uint256 _portion = asset.amount * _positionStake / stakeTotal;
@> uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;//@audit audit div before mul.
if (costInEuros > _position.EUROs) {
@> _portion = _portion * _position.EUROs / costInEuros;
Impact
Loss of precision leading to loss of asset.
Tools Used
Manual Review
Recommendations
When implementing operations involving division and multiplication, all division should be done last.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
60933 USDC / LOC
17,500 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.