Submission Details
Severity:
Precision loss calculating feePerLp in hook `onAfterRemoveLiquidity`
Summary
The values of feeDataArray are gotten in usd but are inflated by multipling by 1e18 This precision mismatch could result in slight inaccuracies in the calculated fees, either overestimating or underestimating the fee amount.
Vulnerability Details
Here is the code snippet:
FeeData[] storage feeDataArray = poolsFeeData[pool][userAddress];
localData.feeDataArrayLength = feeDataArray.length;
localData.amountLeft = bptAmountIn;
for (uint256 i = localData.feeDataArrayLength - 1; i >= 0; --i) {
localData.lpTokenDepositValue = feeDataArray[i].lpTokenDepositValue;
localData.lpTokenDepositValueChange =
(int256(localData.lpTokenDepositValueNow) - int256(localData.lpTokenDepositValue)) /
int256(localData.lpTokenDepositValue);
uint256 feePerLP;
// if the pool has increased in value since the deposit, the fee is calculated based on the deposit value
if (localData.lpTokenDepositValueChange > 0) {
feePerLP =
@> (uint256(localData.lpTokenDepositValueChange) * (uint256(feeDataArray[i].upliftFeeBps) * 1e18)) /
10000;
}
Impact
It inflates the feePerLP for users causing loss for protocol
Tools Used
Manual Audit
Recommendations
Convert the feeDataArray values back to eth before calculating FeePerLp
Prize pool breakdown
Total prize
49,600 OP
nSLOC
3,00017
OP / LOC
44,640
4,960
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.