Dria

Swan

NFTHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Integer Division Truncation In Statistics Library Causes Precision Loss

cheatc0d33

Summary

The avg() function in Statistics library performs integer division which truncates decimal values, losing precision critical for financial calculations.

This precision loss becomes critical when exact averages are needed for protocol decisions, price calculations, or token distributions.

Current Code

https://github.com/Cyfrin/2024-10-swan-dria/blob/main/contracts/libraries/Statistics.sol#L8

function avg(uint256[] memory data) internal pure returns (uint256 ans) {

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

sum += data[i];

}

ans = sum / data.length; // Integer division truncation happens here

}

In Solidity, division between integers always truncates the decimal part. This means any fractional results are rounded down to the nearest integer.

Example

Basic Case

uint256[] memory data = new uint256[]();

data[0] = 3;

data[1] = 4;

uint256 result = avg(data);

// sum = 7

// length = 2

// 7/2 = 3.5, but result = 3 (decimal is truncated)

Impact

Could lead to systematic undervaluation in calculations
Accumulated errors in repeated calculations
Particularly problematic in high-precision financial applications

Possible Solutions

Scale Before Division

function avg(uint256[] memory data) internal pure returns (uint256 ans) {

require(data.length > 0, "Empty array");

uint256 SCALE = 1e18; // Common scaling factor

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

sum += data[i];

}

ans = (sum * SCALE) / data.length; // Result is scaled up by 1e18

}

Return Both Parts

function avg(uint256[] memory data) internal pure returns (uint256 quotient, uint256 remainder) {

require(data.length > 0, "Empty array");

uint256 sum = 0;

for (uint256 i = 0; i < data.length; i++) {

sum += data[i];

}

quotient = sum / data.length;

remainder = sum % data.length;

}

The choice of solution depends on the specific use case and precision requirements. The scaling solution is more commonly used in DeFi applications where maintaining precision is critical.

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,034

20 USDC / LOC

High Medium

20,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.