Calculations like valueX8 and liquidity do not account for potential rounding errors

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L268 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L277

Vulnerability details

Impact

• These small inaccuracies could accumulate and cause the total supply of liquidity tokens to not exactly match the vault holdings.
• This could allow an attacker to potentially deposit tokens, get liquidity that is slightly higher than what they should based on the rounding error, and withdraw more assets than they deposited

Proof of Concept

The rounding errors in calculations like valueX8 and liquidity can accumulate over time and lead to inaccuracies.

The key areas where rounding errors can occur are:

1. valueX8 calculation - Here the amount is multiplied by the asset price (a uint) and then divided by the token decimals (a power of 10). This can lead to loss of precision :https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L268

2. liquidity calculation - Here valueX8 and vaultValueX8 are multiplied and divided, again potentially losing precision : https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/GeVault.sol#L277

Over many deposits and withdrawals, these small rounding errors can accumulate and lead to the total liquidity minted being inaccurate compared to the actual assets deposited.

Tools Used

Manual

Recommended Mitigation Steps

calculations involving division should aim to keep the intermediate values in the highest precision possible before dividing.

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as low quality report

[raymondfam]

A known QA issue in the bot.

[c4-judge]

HickupHH3 marked the issue as unsatisfactory: Insufficient proof