Closed c4-bot-9 closed 9 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
QA likely. Medium at best.
rocketman-21 (sponsor) confirmed
QA seems most appropriate due to the governance token having 18 decimals vs. a shown rounding error of 8 decimals, therefore the rounding error is negligible. Moreover, no subsequent impacts are shown/proven.
QA findings which are originally submitted as High
are judged as overinflated severity.
MarioPoneder marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/libs/VRGDAC.sol#L57-L81
Vulnerability details
Impact
There is a loss of precision in the
VRGDAC.yToX
function, because in several places division occurs first, and then the result is multiplied. This results in users receiving fewer tokens. According to test data, the difference can be 8 digits. The choice of vulnerability severity takes into account the high probability of the event and the possibility of even more significant damage.Proof of Concept
There are two places where division occurs first at the
VRGDAC.yToX
function. This can be easily fixed according toRecommended Mitigation Steps
. The difference in calculation accuracy can be verified using an existing testERC20TokenEmitterTest.testBuyingLaterIsBetter
. The test requires adding logging of the amount of tokens.Test result of the existing implementation:
Test result with changes made:
Tools Used
Manual review
Recommended Mitigation Steps
Concider usind division after multiplying in all places where it possible:
Assessed type
Math