-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dust will be accumulated when calculating the protocol and creator revenues due to the division performed #62
Comments
Since low decimal tokens are out of scope, I don't think this is high risk. |
@syuhei176 Sponsors can only use these labels: sponsor confirmed, sponsor disputed, sponsor acknowledged. |
1 similar comment
@syuhei176 Sponsors can only use these labels: sponsor confirmed, sponsor disputed, sponsor acknowledged. |
The Warden and its duplicate specify that a truncation issue will occur for uneven numbers in the As the Sponsor correctly states, the maximum impact of this submission is two |
alex-ppg changed the severity to QA (Quality Assurance) |
alex-ppg marked the issue as grade-c |
Hey @alex-ppg, I would like to add some clarifications to this report. Another thing is the maximum impact and why it is not two wei, but more. Given these 2 preconditions, I think the impact can fall into this category from C4 documentation: Thanks! |
Hey @blckhv, thanks for contributing to the PJQA process! The value lost here is negligible and would require millions of transactions to occur before it is an observable value (i.e. 1m transactions would lead to 500 USD in value if we consider WBTC only being transacted). For all intents and purposes, this is a QA (L) risk flaw. |
Lines of code
https://github.com/code-423n4/2024-05-predy/blob/main/src/libraries/ApplyInterestLib.sol#L50-L73
Vulnerability details
Impact
PredyPool
will have tokens stuck because of a wrong protocol and creator fees. It will happen then the totalProtocolFee is not an even number.Proof of Concept
Currently, the following functions trigger the interest update for the token pairs:
PredyPool::supply
PredyPool::execLiquidationCall
PredyPool::getPairStatus
PredyPool::revertPairStatus
PredyPool::reallocate
PredyPool::withdraw
PredyPool::trade
All of them will accumulate huge amounts of locked tokens in the pool because the
ApplyInterestLib::applyInterestForPoolStatus
uses the wrongtotalProtocolFee
calculation:ApplyInterestLib.sol
As we can see the intention is to have equally distributed fees to the operator and owner, but in reality small amounts of tokens will always be left in the contract, without a way to be retrieved when
totalProtocolFee
is an odd number.For example let’s say the total fee is 1111 tokens, then both users will receive 555 tokens and the rest 1 token will be left in the contract.
This might seem a negligible number, but given that all the functions above are using the wrong calculation, in a short amount of time a lot of tokens will be left in the
PredyPool
without a way to be claimed by anyone, especially when there is a high activity.Even more, as the time passes and
PredyPool
continues to accumulate dust, reserves will also be highly increased.Similar issue:
https://solodit.xyz/issues/native-tokens-permanently-stuck-in-strategypassivemanageruniswap-contract-due-to-rounding-in-_chargefees-cyfrin-none-cyfrin-beefy-finance-markdown
Tools Used
Manual Review
Recommended Mitigation Steps
Rewrite the function to not leave locked tokens.
Assessed type
Math
The text was updated successfully, but these errors were encountered: