Precision Loss Due to Division Before Multiplication.

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-04-panoptic/blob/833312ebd600665b577fbd9c03ffa0daf250ed24/contracts/CollateralTracker.sol#L249

Vulnerability details

Impact

The impact of this vulnerability can lead to incorrect calculations, which might result in financial losses, incorrect state updates, or even allow for exploits.

Proof of Concept

The provided code snippets demonstrate the vulnerability through various instances where division is performed before multiplication. For example, in the CollateralTracker.startToken function, the _poolFee is calculated by dividing fee by 100 and then multiplying by ITM_SPREAD_MULTIPLIER and DECIMALS. Similarly, in the PanopticFactory._mintFullRange function, tickLower is calculated by dividing Constants.MIN_V3POOL_TICK by tickSpacing and then multiplying by tickSpacing. These operations can lead to precision loss due to the truncation of integer division in Solidity.

Tools Used

Slither was used to identify this vulnerability.

Recommended Mitigation Steps

To mitigate this vulnerability, it's recommended to rearrange arithmetic operations to perform multiplication before division, unless the limit of a smaller type makes this dangerous. This approach helps to preserve precision and avoid unintended results. Here are some general guidelines for mitigation:

1. Reorder Operations: Whenever possible, rearrange the order of operations to perform multiplication before division. This can be particularly important in financial calculations where precision is critical.

2. Use SafeMath or Solidity 0.8.x: If you're using a version of Solidity prior to 0.8.0, consider using the SafeMath library for arithmetic operations to prevent overflows and underflows. Solidity 0.8.0 and later versions include built-in overflow and underflow checks, which can help mitigate some of these risks.

Assessed type

Math

[c4-judge]

Picodes marked the issue as unsatisfactory: Invalid