The platformFee and the tradeTax should be round up
Summary
All the amounts that benefit the platform should be rounded up always to avoid problems in internal calculations that can allow an attacker to manipulate the token values in the contracts.
Vulnerability Details
The createTaker function calculates the amount of tokens the user needs to deposit to pay the points they want to buy, this function also calculates the platformFee and the tradeTax the user must pay to complete the trade.
when the createTaker function calculates the depositAmount it calls the mulDiv function and rounds the result up which is good, but when it calculates the platformFee and the tradeTax it calls the mulDiv function which rounds the result down, this is a mistake that can open the door to an attacker to manipulate the internal token amounts to his benefit, it's always recommended to round all the calculations in a way that favors the protocol instead of the user, so the recommended here would be to round up the platformFee and the tradeTax calculations.
Impact
bad rounding direction that benefits the user instead of the protocol.
Tools Used
Manual Review
Recommendations
Round the platformFee and the tradeTax in favor of the protocol, in this case the rounding of these variables should be up.
Lead Judging Commences
finding-PreMarkets-Rounding-Direction
Duplicate of #456, however, for issues noting rounding directions, will be low severity given the impact is not proven sufficiently with a PoC/numerical example and most rounding will not result in significant losses e.g. most examples only proved at most a 1 wei difference when computing `depositAmount/platFormFees` and involves lower amount offers
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.