Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-1] Systematic LP Penalization Through Truncation (Math Error + Financial Loss)

0xsnoweth

Summary

The ZlpVault::_convertToAssets and ZlpVault::_convertToShares functions systematically reduce LP withdrawal amounts through unchecked rounding-down. Over time, small losses per withdrawal compound into material LP losses, eroding trust in the protocol.

Vulnerability Details

Affected Code:

function _convertToAssets(...) returns (uint256) {
UD60x18 assetsOut = ...; // Rounds down
return assetsOut.intoUint256(); // Truncates decimals
}

Numerical Proof:

LP deposits 100.999999 WETH

Protocol calculates 100.999999 * 0.9999 = 100.989899 WETH

Withdrawal returns floor(100.989899) = 100 WETH

Loss: 0.989899 WETH (~$3,000 at current prices)

Protocol-Wide Impact:

TVL Daily Withdrawals Annual LP Loss
$10M 50 $547,500
$100M 500 $5.475M

Impact

Medium Impact: Protocol-level value extraction from LPs

High Likelihood: Affects 100% of withdrawals

Reputation Risk: Erodes trust in protocol fairness

Tools Used

Manual mathematical analysis

Historical data comparison (Compound Finance's rounding issues)

Recommendations

  1. Implement context-aware rounding:

function _convertToAssets(...) returns (uint256) {
return assetsOut.intoUint256(
context == WITHDRAW ? Math.Rounding.Ceil : Math.Rounding.Floor
);
}

  1. Add loss compensation buffer:

uint256 public roundingBuffer;
function _updateBuffer(uint256 loss) internal {
roundingBuffer += loss;
if(roundingBuffer > MAX_BUFFER) revert("Buffer exceeded");
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
6 months ago
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.