search

code-423n4 / 2024-01-salty-findings

4 stars 3 forks source link

Precision loss in Airdrop contract #985

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/main/src/launch/Airdrop.sol#L64

Vulnerability details

Impact

A small amount of xSALT tokens will be stuck in the Airdrop contract due to precision loss. The amount of tokens that should be sent to users is equal to saltBalance / numberAuthorized(). When claiming is allowed, every user can call the claimAirdrop function to receive their reward.

Unfortunately, due to precision loss, a small amount of tokens will be stuck in the contract. In a scenario where the total number of users is, for example, 2707, the amount that should be sent to users will be 1847063169560398965644 = (5 * MILLION_ETHER / 2707) and the total sent amount will be 4999999999999999999998308. The result of 5 * MILLION_ETHER - 4999999999999999999998308will remain in the Airdrop contract forever.

Tools Used

Manual Review

Recommended Mitigation Steps

Multiply the saltBalance before division by numberAuthorized() to avoid precision loss.

Assessed type

Other

c4-judge commented 5 months ago

Picodes marked the issue as unsatisfactory: Overinflated severity