For small decimal tokens, Users can avoid paying platform fees.
Summary
For small decimal tokens, like GUSD which only has 2 decimals, users can avoid paying platform fees.
Vulnerability Details
In createTaker function:
Consider a token like GUSD which only has 2 decimal places. Suppose, a maker has put on an offer such that the amount is 1 GUSD is 1 point. So, 10000 GUSD is the amount and the offer has 10000 points. The taker wants to trade for 100 points. So, the deposit amount is 100. Thus, the platform will be 100*5000/1_000_000, which will be rounded down to 0 in Solidity. Hence, the platform fee that the taker will pay in this case will be 0.
Impact
Users need not pay platform fees when trading with small amounts.
Tools Used
Manual review
Recommendations
Consider adding a minimum amount for a trade to take place, such that the platform fee is always paid.
Lead Judging Commences
finding-PreMarkets-tradeTax-round-down-low-decimal
Valid medium, this will indeed cause a leakage (albeit requires relatively small amount of collateral transacted, and is most significant for lower decimal tokens (does not break ERC20 specifications), resulting in platFormFee rounding to zero and creater of offers not sending fees to capitalPool when `_depositTokenWhenCreateTaker` is invoked. For issues noting rounding directions, it will be low severity given the impact is not proven sufficiently with a PoC/numerical example and most rounding will not result in significant losses. I believe the most appropriate solution here is to increase scale of platFormFees scalar, but to make sure that overflows are considered for higher decimal tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.