Precision Loss in Reward Calculation Leads to Undistributed Funds
Summary
Precision loss in reward calculation leads to undistributed funds in the ThePredicter::withdraw function.
Vulnerability Details
In the ThePredicter::withdraw function, when calculating the reward, there's a potential for precision loss due to integer division. The calculation (shares * players.length * entranceFee) / totalShares can result in truncation of decimal places, leaving a small amount of wei undistributed.
For example:
Player's score (shares): 10
players.length: 30
entranceFee: 0.04 ether (40,000,000,000,000,000 wei)
totalShares: 70
The calculation becomes: (10 * 30 * 40,000,000,000,000,000) / 70 = 171,428,571,428,571,428 wei
The actual result should be 171,428,571,428,571,428.57142857142857 wei, but Solidity truncates the decimal portion, leaving some dust (0.57142857142857 wei) undistributed.
Impact
This precision loss results in a small amount of funds being left in the contract instead of being distributed to eligible players. Over time and multiple withdrawals, these undistributed funds could accumulate.
Tools Used
Manual review
Recommendations
Implement a mechanism to handle the precision loss and ensure all funds are properly distributed.
Lead Judging Commences
Dust amount might remain
Small amount of funds can remain stuck in contract due to a precision loss.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.