Closed code423n4 closed 2 years ago
Probably keeping this same as Curve and mStable
this rounding issue doesn't seem to really impact the proper functioning of veFDT given this logic has been battle tested in Curve and a number of projects using Curve contracts over the years. that's why I downgrade severity to QA
Severity downgrade approved.
Duplicate of #244
Lines of code
https://github.com/code-423n4/2022-08-fiatdao/blob/5a254ab15a387bd65a7dc50ac8371cb77de1e5d5/contracts/VotingEscrow.sol#L237-L242 https://github.com/code-423n4/2022-08-fiatdao/blob/5a254ab15a387bd65a7dc50ac8371cb77de1e5d5/contracts/VotingEscrow.sol#L245-L250
Vulnerability details
Impact
Dividing before doing multiplication in solidity can make the number to be rounded down. This is a threat as it can make a fee or something similar become 0, an unexpected result.
Proof of Concept
https://github.com/crytic/slither/wiki/Detector-Documentation#divide-before-multiply.
Tools Used
Manual analysis and slither.
Recommended Mitigation Steps
Just multiply before dividing as it will give the expected result.