Precision Loss in distributeassets calculation could result in incorrect rewards
Summary
Precision Loss in distributeassets calculation could result in incorrect rewards
Vulnerability Details
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L220-L221
In the following code, the function distributeassets performs a long calculations to calculate the amount of assets to distribute for each user. Let's take a closer look
In this part of the equation, we see that there is a division being performed before a multiplication
In solidity this presents a risk of truncation, where if the denominator is greater than the numerator, the result is rounded down to 0. This precision loss can result in incorrect rewards for users in some situations. For example if if uint256(assetPriceUsd) is significantly smaller than uint256(priceEurUsd), the division could result in zero, rendering the entire expression zero regardless of the values of _hundredPC or _collateralRate. This issue could result in users receiving incorrect, often lower, rewards when the distributeAssets function is called.
The impact of this vulnerability extends beyond mere computational inaccuracies; it directly affects the financial rewards of users. In scenarios where the truncation leads to a zero value, users might not receive any rewards at all, despite being eligible for them. This can lead to a loss of trust in the system, potential financial losses for users, and a tarnished reputation for the platform.
Impact
User can receive the incorrect amount of rewards when calling distributeAssets
Tools Used
Manual Review
Recommendations
Revise the calculation
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.