Open code423n4 opened 2 years ago
duplicates: #148, #198, arguably #145 as well
We dont want to collect dust anyway. We may end up changing this, but not sure atm.
Marking down to low-risk as the costs of doing so would probably outweigh any benefits on any chain with reasonable gas prices. Increasing the number of decimals used to calc fees could resolve this issue pretty easily.
Handle
hack3r-0m
Vulnerability details
Impact
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L397
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L711
Due to integer divison of solidity, (999 10) / 10000 = 0, so for all values `fee amount` < 10000, user does not have to pay if fee is enabled or fee during executing flashloan.
A user can deposit total amount into chunks such that on every fund / flashloan, user does not have to pay fee.
Similiary, (1999 * 10) / 10000 = 1 can be exploited.
Proof of Concept
(included above)
Tools Used
Manual Review
Recommended Mitigation Steps
Use FixedPoint Arithmetic library or scale up amount (amount 10^18) and scale down(result / (1018) after performing divison