Pricision Error in `distributeAssets()` Could Lead to Undercollateralization of EUROs
Description:
Precision error in distributeAsset when distributing 8 decimal tokens like WBTC leads to users missing out on rewards and undercollateralization of EUROs. The larger the stakedTotal, the larger the denomination to divide by, causing _portion for some users to be 0. Consequently, some collateral will not be sold in the pool and sent back to LiquidationPoolManager despite having enough pool balance to buy these tokens. Assets that aren't sold are sent back to the LiquidationPoolManager, which then sends it to the protocol (i.e., treasury).
Impact:
The delay between the time of liquidation and selling of these assets to cover the loss exposes EUROs to undercollateralization.
Proof of Concept:
Calculating a staker's portion in the given conditions results in zero.
wBTC reward: 1e8 (1 BTC)
Staker's positions: 1e18
Total Stake: 1000000000e18
Although the discrepancy between the staker's position and total stake is so wide, making the effect of such transactions seem almost inconsequential, this can accumulate over time or over multiple users to cause a significant impact on the protocol.
Tools Used:
Manual Review
Foundry
Recommended Mitigation Steps:
Convert 8 decimal tokens to 18 before calculating stakers' portion.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.