`LiquidInfrastructureERC20::_beginDistribution()` - L242: It seems `balance / supply` will round down to zero every time due to fact that `balance` is always smaller than `supply`, and there seems to be nothing in place to handle this risk.

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/3adc34600561077ad4834ee9621060afd9026f06/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L242

Vulnerability details

uint256 entitlement = balance / supply;

Since balance will always be <= to supply, the only time this can be non-zero is when there's only one ERC20 token available for distribution with a balance equal to supply. That would not be the normal case and therefore this division would round down to zero all the time with the current implementation.

Impact:

• distributions wont send any tokens to holders because entitlement value for all the distributable ERC20 tokens will be zero.

Recommendation:

• To address potential rounding down to zero in the entitlement calculation, a scaling factor could be utilized to multiply the balance before division, ensuring precision and preventing incorrect distribution of entitlements.

• make use of OZ's SafeMath library and consider using FixedPointMath libraries to handle fractional values properly.

Assessed type

Math

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #638

[c4-judge]

0xA5DF marked the issue as duplicate of #757

[c4-judge]

0xA5DF marked the issue as satisfactory

[c4-judge]

0xA5DF changed the severity to 2 (Med Risk)

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Out of scope

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Out of scope