Risk of Residual Balances in Smart Contract's decreasePosition Function
Summary
The decreasePosition function in the smart contract faces a potential issue where small residual balances (dust) of TST or EUROs may remain in a user's position due to inaccurate computations in the UI. This can lead to positions not being deleted when they should be, resulting in an excessive number of active positions.
Vulnerability Details
The function allows users to decrease their position in terms of TST and EUROs. It checks that the requested decrease amounts are not greater than the user's current holdings. However, if the decrease amount is slightly less than the total holdings due to a rounding error or a miscalculation in the user interface, a very small balance (dust) may remain in the user's position. The function includes a check to delete a position if it's empty (using empty(positions[msg.sender])), but residual balances might prevent this condition from being met. Consequently, positions that are effectively inactive or negligible in value may not get deleted, leading to an inflated count of active positions.
Impact
The presence of numerous inactive positions with residual balances can clutter the contract's state, potentially leading to increased computational and storage costs. It can also complicate contract management and analysis, as the contract will appear to have more active participants than it actually does.
Tools Used
Manual Review
Recommendations
Introduce a minimum threshold below which a position is considered effectively empty and eligible for deletion.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.