Fee calculation is slightly off

[code423n4]

Handle

gzeon

Vulnerability details

Impact

The fee calculation

            uint256 timeDiff = (block.timestamp - lastFee);
            uint256 feePct = timeDiff * licenseFee / ONE_YEAR;
            uint256 fee = startSupply * feePct / (BASE - feePct);

tries to calculate a fee such that fee/(supply+fee) = %fee using a simple interest formula (i.e. no compounding), this lead to slightly less fee collected when fee are collected more frequently (small timeDiff) vs less frequently (big timeDiff).

Proof of Concept

https://github.com/code-423n4/2021-12-defiprotocol/blob/205d3766044171e325df6a8bf2e79b37856eece1/contracts/contracts/Basket.sol#L133

[frank-beard]

while this is technically true, the actual precision loss should be very negligible.

[0xleastwood]

I think any precision loss or value leakage qualifies for a medium severity issue. This seems like it would lead to an inconsistent fee calculation and is probably worthwhile fixing long-term.