First Flight #21: KittyFi

First Flight #21

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Implementation bug in `KittyVault::getTotalMeowllateralInAave`, resulting in wrong calculation of the total amount of collateral held by Aave.

v1vah0us3

Description

The function KittyVault::getTotalMeowllateralInAave is intended to calculate and return the total amount of collateral deposited in Aave, as well as the collateral earned from interest. However, the current implementation contains an error in its calculation.

function getTotalMeowllateralInAave() public view returns (uint256) {

(uint256 totalCollateralBase, , , , , ) = i_aavePool.getUserAccountData(address(this));

(, int256 collateralToUsdPrice, , , ) = i_priceFeed.latestRoundData();

@> return totalCollateralBase.mulDiv(PRECISION, uint256(collateralToUsdPrice) * EXTRA_DECIMALS);

}

The issue here is that the multiplication and division via Math::mulDiv are performed in the wrong order, leading to an incorrect calculation of the total collateral. This results in an incorrect final value being returned by the function. The correct order of operations should first multiply the totalCollateralBase by the collateralToUsdPrice (adjusted for decimals) and then divide by the PRECISION.

PoC

As a PoC and to demonstrate the bug in the implementation of KittyVault::getTotalMeowllateralInAave we will perform the calculation of totalCollateralBase.mulDiv(PRECISION, uint256(collateralToUsdPrice) * EXTRA_DECIMALS) using the following values:

totalCollateralBase = 100e18 (represents 100 units of collateral (e.g. ETH) with 18 decimals).

collateralToUsdPrice = 2500e8 (price of the ETH in USD with 8 decimals).

EXTRA_DECIMALS = 1e10 (to adjust the 8-decimal price to 18 decimals).

PRECISION = 1e18.

Calculate Adjusted Price: (collateralToUsdPrice) * EXTRA_DECIMALS --> 2500e8×1e10=2500e18

Multiply Total Collateral Base by Precision: 100e18×1e18=100e36

Divide by Adjusted Price: 100e36/2500e18=4e16

Result: 4e16

The result of 4e16 is incorrect for representing the total collateral in USD terms. This result demonstrates the error in logic caused by the wrong order of multiplication and division.

Now we will demonstrate the correct calculation by first multiplying the TotalCollateralBase by the CollateralToUsdPrice (adjusted for decimals) and then dividing by the PRECISION:

Calculate Adjusted Price (collateralToUsdPrice) * EXTRA_DECIMALS: 2500e8×1e10=2500e18

Multiply Total Collateral Base by Adjusted Price: 100e18×2500e18=250000e36

Divide by Precision: 250000e36/1e18=250000e18

Result: 250000e18

With the given collateralToUsdPrice of 2500e8 and totalCollateralBase of 100e18, the correctly calculated total collateral value in USD terms, adjusted to 18 decimals precision, should be 250000e18. This reflects the accurate conversion and scaling of the collateral value to USD, indicating that the calculation is consistent with the expected results.

Impact

The impact of this calculation error is significant, as it leads to the KittyVault::getTotalMeowllateral function returning incorrect values. This can have several downstream effects, including e.g.:

Incorrect User's Collateral Checks using KittyPool::_hasEnoughMeowllateral
Incorrect Calculations and Distribution of Shares in KittyVault::executeDepawsit
Incorrect Calculations of Withdrawal Amount in KittyVault::executeWhiskdrawal

Tools Used

Manual review, vscode

Recommended Mitigation

To address the issue, the calculation in the getTotalMeowllateralInAave function should be corrected by adjusting the order of operations:

function getTotalMeowllateralInAave() public view returns (uint256) {

(uint256 totalCollateralBase, , , , , ) = i_aavePool.getUserAccountData(address(this));

(, int256 collateralToUsdPrice, , , ) = i_priceFeed.latestRoundData();

- return totalCollateralBase.mulDiv(PRECISION, uint256(collateralToUsdPrice) * EXTRA_DECIMALS);

+ return totalCollateralBase.mulDiv(uint256(collateralToUsdPrice) * EXTRA_DECIMALS, PRECISION);

}

Updates

Lead Judging Commences

shikhar229169 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

v1vah0us3 Submitter

10 months ago

shikhar229169 Lead Judge

10 months ago

shikhar229169 Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

224

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.