Decimal Precision Difference in `PreMarket::_updateReferralBonus` Leads to Incorrect `remainingPlatformFee`
Summary
A discrepancy in decimal precision among variables used in the PreMarket::_updateReferralBonus function leads to incorrect calculation of the remainingPlatformFee. This can result in inaccurate accounting and potential financial discrepancies within the protocol.
Vulnerability Details
The PreMarket::_updateReferralBonus function utilizes variables with different decimal precisions, specifically platformFee, referrerRate, and authorityRate. The issue arises when calculating the remainingPlatformFee, as seen in the following code:
Issue Breakdown:
platformFee: The token-based fee, which can have varying decimals depending on the chosen token.referrerRateandauthorityRate: These rates are calculated using a fixed decimal scaler,Constants.REFERRAL_RATE_DECIMAL_SCALER.Problem: The difference in decimal precision among these variables leads to an incorrect calculation of the
remainingPlatformFee. This discrepancy arises because theplatformFeeand the referral bonuses (referrerReferralBonusandauthorityReferralBonus) are not consistently scaled, causing theremainingPlatformFeeto be inaccurately computed.
Impact
The incorrect calculation of remainingPlatformFee due to decimal precision differences can lead to inaccurate financial accounting within the protocol, potentially resulting in overpayment or underpayment of fees, and ultimately, financial loss.
Tools Used
Manual analysis
Recommendations
To resolve this issue, the protocol should adjust the scale of all variables to ensure they have consistent decimal precision. This can be done by standardizing the decimal precision across platformFee, referrerReferralBonus, and authorityReferralBonus before performing any calculations.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Appeal created
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.