Submission Details
Severity:
precision loss in claimTokens.
Summary
Here we are calculating the multiplier in auctionEnd and then using it in claimTokens but there is a precision loss is happening.
Vulnerability Details
function auctionEnd() external {
if (block.timestamp < auctionEndTime) {
revert AuctionNotYetEnded();
}
if (ended) {
revert AuctionEndAlreadyCalled();
}
ended = true;
emit AuctionEnded(totalBids, totalTokens);
if (totalBids == 0) {
auctionToken.transfer(owner, totalTokens);
return;
}
@>> multiplier = totalTokens.mul(PRECISION_18).div(totalBids);
// Burn the FjordPoints held by the contract
uint256 pointsToBurn = fjordPoints.balanceOf(address(this));
fjordPoints.burn(pointsToBurn);
}
/**
* @notice Allows users to claim their tokens after the auction has ended.
*/
function claimTokens() external {
if (!ended) {
revert AuctionNotYetEnded();
}
uint256 userBids = bids[msg.sender];
if (userBids == 0) {
revert NoTokensToClaim();
}
@>> uint256 claimable = userBids.mul(multiplier).div(PRECISION_18);
bids[msg.sender] = 0;
auctionToken.transfer(msg.sender, claimable);
emit TokensClaimed(msg.sender, claimable);
}
}
Impact
we will loss the some amount while claiming the claimTokens..
Tools Used
Recommendations
multiplier = totalTokens.mul(PRECISION_18);
uint256 claimable = userBids.mul(multiplier).div(PRECISION_18).div(totalBids);
Updates
Lead Judging Commences
inallhonesty
about 1 year ago
inallhonesty about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Low decimal tokens or super small bids can lead to 0 claims
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230
USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.