Precision issues for pnl and fee will cause incorrect financial decisions based on the wrong profit/loss values in LibQuote.sol
Summary
Precision issues for pnl and fee in LibQuote.sol will cause incorrect financial decisions based on the wrong profit/loss values.
Root Cause
Solidity does not support floating-point numbers. Instead, it uses fixed-point arithmetic, which can lead to precision loss when dealing with very large or very small numbers.
Operations involving division and multiplication by large constants (like 1e18 or 1e36) can introduce rounding errors. These errors occur because Solidity truncates the decimal part of the result, leading to a loss of precision.
The uint256 data type, while capable of handling large integers, does not inherently support decimal places. This necessitates manual scaling (e.g., multiplying by 1e18), which can introduce precision issues if not handled carefully.
If currentPrice and quote.openedPrice are very close, the subtraction might result in a very small number, which, when multiplied and then divided by 1e18, can lead to a loss of precision.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
The pnl calculation results in -1, which is incorrect and misleading. This could lead to incorrect financial decisions based on the wrong profit/loss values.
Over multiple transactions, these small precision errors can accumulate, leading to significant financial discrepancies and potential losses.
Users may lose trust in the system if they notice discrepancies in their profit/loss calculations, which could affect the platform’s reputation.
PoC
Suppose currentPrice is $1,000.123456789012345678 and quote.openedPrice is $1,000.123456789012345679. The difference is extremely small, but due to precision limitations, it could be rounded off incorrectly.
safdie
Medium
Precision issues for
pnl
andfee
will cause incorrect financial decisions based on the wrong profit/loss values inLibQuote.sol
Summary
Precision issues for
pnl
andfee
inLibQuote.sol
will cause incorrect financial decisions based on the wrong profit/loss values.Root Cause
Solidity does not support floating-point numbers. Instead, it uses fixed-point arithmetic, which can lead to precision loss when dealing with very large or very small numbers.
Operations involving division and multiplication by large constants (like
1e18
or1e36
) can introduce rounding errors. These errors occur because Solidity truncates the decimal part of the result, leading to a loss of precision.The
uint256
data type, while capable of handling large integers, does not inherently support decimal places. This necessitates manual scaling (e.g., multiplying by 1e18), which can introduce precision issues if not handled carefully.The calculations for
pnl
andfee
involve division by1e18
and1e36
respectively. https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibQuote.sol#L139 https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibQuote.sol#L159 https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/libraries/LibQuote.sol#L161Consider the calculation of
pnl
ingetValueOfQuoteForPartyA
function:If
currentPrice
andquote.openedPrice
are very close, the subtraction might result in a very small number, which, when multiplied and then divided by1e18
, can lead to a loss of precision.Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
pnl
calculation results in-1
, which is incorrect and misleading. This could lead to incorrect financial decisions based on the wrong profit/loss values.PoC
Suppose
currentPrice
is $1,000.123456789012345678 andquote.openedPrice
is $1,000.123456789012345679. The difference is extremely small, but due to precision limitations, it could be rounded off incorrectly.Mitigation
ABDKMathQuad
orFixedPoint
to handle high-precision arithmetic operations.1e18
and1e36
, consider using higher precision multipliers if the underlying data supports it.