cheatcode - Rounding Errors in Conversion from Asset Amount to Shares

[sherlock-admin3]

cheatcode

medium

Rounding Errors in Conversion from Asset Amount to Shares

Summary

See below.

Vulnerability Detail

The getSharesFromReceipt function in the VaultLib library calculates the unredeemed shares for a given deposit receipt.

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/lib/VaultLib.sol#L112

function getSharesFromReceipt(
    DepositReceipt calldata depositReceipt,
    uint256 currentEpoch,
    uint256 sharePrice,
    uint8 tokenDecimals
) external pure returns (uint256 unredeemedShares) {
    if (depositReceipt.epoch == 0 || depositReceipt.epoch == currentEpoch) {
        return depositReceipt.unredeemedShares;
    }

    uint256 sharesFromRound = assetToShares(depositReceipt.amount, sharePrice, tokenDecimals);
    return depositReceipt.unredeemedShares + sharesFromRound;
}

The assetToShares function performs the conversion from asset amount to shares:

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/lib/VaultLib.sol#L57

function assetToShares(uint256 assetAmount, uint256 sharePrice, uint8 tokenDecimals) public pure returns (uint256) {
    // If sharePrice goes to zero, the asset cannot minted, this means the assetAmount is to rescue
    if (sharePrice == 0) {
        return 0;
    }
    if (assetAmount == 0) {
        return 0;
    }

    return (assetAmount * 10 ** tokenDecimals) / sharePrice;
}

Impact

The division operation (assetAmount * 10 ** tokenDecimals) / sharePrice can result in rounding errors, especially when assetAmount is small compared to the sharePrice. This rounding error can lead to the sharesFromRound value being rounded down to zero, effectively nullifying the user's deposit and making them unable to claim any shares.

Code Snippet

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/lib/VaultLib.sol#L112 https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/lib/VaultLib.sol#L57

Tool used

Manual Review

Recommendation

• Introduce a minimum deposit amount that is sufficiently large to avoid rounding errors when converting to shares. This would prevent users from depositing very small amounts that could be rounded down to zero shares.

• Instead of rounding down the sharesFromRound value, you could round up or implement a precision loss compensation mechanism. This would ensure that even small deposits are accounted for and users receive their fair share of tokens.

[sherlock-admin4]

2 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, even if there is rounding error, it will be at the magnitude of a few wei. 0 amount should not be more achievable this way (and if it is, it will revert)

tsvetanovv commented:

Low