Fee Bypass Through Precision Loss in Low-Decimal Tokens
Summary
The UpliftOnlyExample contract's fee calculation mechanism can be bypassed for significant amounts when using low-decimal tokens like GUSD (2 decimals). This allows users to execute large trades without paying any fees, leading to potential revenue loss for the protocol and the pool creator.
Vulnerability Details
NOTE: As per the protocol readme: all balancer tokens are in scope and GUSD is a valid balancer token.
The fee calculation in UpliftOnlyExample::afterSwap hook uses the following formula:
UpliftOnlyExample.sol#L298
With 0.1% fee setting:
For zero fee (rounding down in integer arithmetic):
For GUSD (2 decimals):
1000 base units = 10.00 GUSD
Therefore, any amount up to 9.99 GUSD will result in zero fees.
Concrete Example:
Trade amount: 9.99 GUSD = 999 base units
Fee calculation with 0.1% fee:
Impact
Swap fee can be bypassed for low-decimal tokens
Tools Used
Manual Review
Recommendations
Use decimal normalization for fee calculations
Lead Judging Commences
finding_tokens_with_few_decimals_can_bypass_fees
Likelyihood: Very Low, tokens with 2 or less decimals and few fees. Impact: Low, bypass fees but for very few amounts, gas usage will be equivalent. (No reason to break a big swap in multiple)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.