Loss of precision in the `Helpers::descaleAmount` function, which will lead to a loss of funds.
Relevant GitHub Links
Summary
A smaller amount divided by a very large value of scaleFactor will always return zero as the result.
Vulnerability Details
When descaling the amount value provided in the Helpers::descaleAmount function, if the difference in number between amount and scaleFactor is so great that dividing amount by sacleFactor results in a value between 0 and 1 ( 0 < result < 1); the result will always be rounded down to zero and the initial amount will be loss:
This function is used in the SablierFlow::_withdraw function to calculate the total debt:
Regarding to the issue described above, this totalDebt may return an incorrect amount, resulting in a loss of funds or the inability to make a withdrawal.
For example; if amount = 5 and decimals = 10:
-
With
decimals = 10, the function calculatesscaleFactoras:
scaleFactor = 10^(18−10)=10^8=100,000,000 -
The function then divides amount by scaleFactor:
result=amount / scaleFactor = 5 / 100,000,000 = 0
Since Solidity uses integer division, the result will truncate any decimals, so the final result is 0.
So the 5 amount of tokens provided by the user will be descaled to 0 amount of token.
Impact
As small amounts cannot be descaled, they cannot be withdrawn either and will remain locked in the contract.
Tools Used
Manual review.
Recommendations
Use libraries like OpenZeppelin’s SafeMath or Solidity’s built-in arithmetic features to handle arithmetic operations safely.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.