OrderBook
First Flight #43
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Precision loss in `buyOrder` can lead to decrease in expected protocol fees

0xshuayb

Root + Impact

Precision loss in buyOrder can lead to decrease in expected protocol fees

Description

While calculating protocol fees in buyOrder, there is risk of precision loss as solidity does not account for decimals with integers. As such an attacker could batch their transaction to maximize their returns and minimize the fees received by the protocol

uint256 protocolFee = (order.priceInUSDC * FEE) / PRECISION;
uint256 sellerReceives = order.priceInUSDC - protocolFee;

Risk

Likelihood:

  • Reason 1: Whenever the result of calculating the protocolFee gives a floating number

Impact:

  • Impact 1: This would cause a significant difference in expected protocol fees and actual fees received by the protocol

Proof of Concept

function test_precisionLoss() public {
uint256 price = 33;
uint256 totalFeesLost = 0;
vm.startPrank(clara);
wsol.approve(address(book), 1e18);
uint256 orderId = book.createSellOrder(address(wsol), 1, price, 1 days);
vm.stopPrank();
uint256 protocolFee = (price * book.FEE()) / book.PRECISION();
// Attacker buys the order
vm.startPrank(dan);
usdc.approve(address(book), price);
book.buyOrder(orderId);
vm.stopPrank();
console2.log("Current protocol fees collected:", book.totalFees());
}

The protocolFee is found to be 0 instead of the expected 0.99

Recommended Mitigation

Consider higher precison factor while calculating the protocol fee

Updates

Lead Judging Commences

yeahchibyke Lead Judge 14 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Fee can be bypassed

Protocol Suffers Potential Revenue Leakage due to Precision Loss in Fee Calculation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.