Loss of Precision Due to Division by Large Numbers
Summary
In the SablierV2NFTDescriptor contract, a potential loss of precision issue has been identified. This occurs when performing division by a large number, which can result in the outcome being zero due to Solidity's inability to handle fractions. This report details the specific instance where this issue occurs and provides recommendations to mitigate the problem.
Vulnerability Details
The issue is identified in the following line of the SablierV2NFTDescriptor contract:
https://github.com/Cyfrin/2024-05-Sablier/tree/main/v2-core/src/SablierV2NFTDescriptor.sol#L200
In this line, the multiplication of streamedAmount by 10,000 is followed by division by depositedAmount. If depositedAmount is a very large number compared to streamedAmount * 10_000, the result of the division may be zero, leading to a loss of precision.
Impact
The loss of precision can result in inaccurate calculations and potentially erroneous logic in the smart contract. This can affect the correct representation and functionality of the system, leading to potential financial discrepancies or unintended behavior in the application.
Tools Used
Manual code review
Recommendations
Require Minimum Amounts: Implement a check to ensure that streamedAmount * 10_000 is always larger than depositedAmount before performing the division. For example:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.