A small amount of xSALT tokens will be stuck in the Airdrop contract due to precision loss. The amount of tokens that should be sent to users is equal to saltBalance / numberAuthorized(). When claiming is allowed, every user can call the claimAirdrop function to receive their reward.
Unfortunately, due to precision loss, a small amount of tokens will be stuck in the contract. In a scenario where the total number of users is, for example, 2707, the amount that should be sent to users will be 1847063169560398965644 = (5 * MILLION_ETHER / 2707) and the total sent amount will be 4999999999999999999998308. The result of 5 * MILLION_ETHER - 4999999999999999999998308will remain in the Airdrop contract forever.
Tools Used
Manual Review
Recommended Mitigation Steps
Multiply the saltBalance before division by numberAuthorized() to avoid precision loss.
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/launch/Airdrop.sol#L64
Vulnerability details
Impact
A small amount of
xSALT
tokens will be stuck in theAirdrop
contract due to precision loss. The amount of tokens that should be sent to users is equal tosaltBalance / numberAuthorized()
. When claiming is allowed, every user can call theclaimAirdrop
function to receive their reward.Unfortunately, due to precision loss, a small amount of tokens will be stuck in the contract. In a scenario where the total number of users is, for example,
2707
, the amount that should be sent to users will be1847063169560398965644
=(5 * MILLION_ETHER / 2707)
and the total sent amount will be4999999999999999999998308
. The result of5 * MILLION_ETHER - 4999999999999999999998308
will remain in theAirdrop
contract forever.Tools Used
Manual Review
Recommended Mitigation Steps
Multiply the
saltBalance
before division bynumberAuthorized()
to avoid precision loss.Assessed type
Other