search

code-423n4 / 2022-09-party-findings

2 stars 0 forks source link

`fee` could round down to 0 #265

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/distribution/TokenDistributor.sol#L352-L353

Vulnerability details

Impact

fee and memberSupply calculation will be inaccurate.

Proof of Concept

// contracts/distribution/TokenDistributor.sol
352-353:
        uint128 fee = supply * args.feeBps / 1e4;
        uint128 memberSupply = supply - fee;

When supply is low, fee could round down to 0, which further affects memberSupply calculation.

Tools Used

Manual analysis.

Recommended Mitigation Steps

Check fee value, and round up if needed.

merklejerk commented 1 year ago

Fees aren't critical to the protocol, so computing a 0 fee for (unlikely) low denomination ERC20s is acceptable.

HardlyDifficult commented 1 year ago

Who doesn't like 0 fees? :) Does not seem harmful, closing as invalid.