Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loss of funds due to decimal precision inconsistency #109

Open
hats-bug-reporter bot opened this issue Nov 8, 2024 · 4 comments
Open

Loss of funds due to decimal precision inconsistency #109

hats-bug-reporter bot opened this issue Nov 8, 2024 · 4 comments
Labels
invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x9b1ed0ed45bed1ae3b907387a891ae2aa41eb7d790a80c976821c11911a4e7c6
Severity: medium

Description:
Description
The contract implements the assetsToShares functions which is called by the convertToShares function to calculate the amount of shares for an amount of input tokens. The function convertToShares is called during the execution of the deposit function. This function allows the user to burn an amount of tokens in exchange for some shares.

However, due to the calculation of the share amount in the assetsToShares function, there is a non-zero amount of tokens that can be deposited by the user and in exchange yield zero shares. Specifically, given the expression

Math.mulDiv(assets, 10 ** 18, currentPrice);

if assets is less than 10 ** 18, the amount of shares calculated for the user is zero. As a result, the user will proceed burning their tokens while they receive no shares in exchange. The contract should protect the users from loss of funds to ensure consistency and trust.

  1. Proof of Concept (PoC) File

The contract does not prevent users from depositing less than 10 ** 18 tokens and at the same time it does not ensure that the lowest possible deposit receives at least 1 share. Therefore, deposited amounts of this scale are irreversibly lost.

Recommendation

The team is advised to resolve this issue by either preventing users from depositing less than 10 ** 18 tokens or by increasing the share basis by a factor of 10 ** 18 so that 1Wei of deposited tokens is entitled 1 share.
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Nov 8, 2024
@0xupbill
Copy link

0xupbill commented Nov 8, 2024

I would like to update the description to explicitely state that all deposited assets < currentPrice/10 ** 18 receive no shares while accepted as valid deposits and the respective tokens are burned.

@AndreiMVP
Copy link

I don't see the issue here. OZ Math library handles the rounding. Is it about a loss due to the exact precision like #33? because it wouldn't be a prob in practice

@geaxed geaxed added invalid This doesn't seem right and removed bug Something isn't working labels Nov 18, 2024
@0xupbill
Copy link

It is the same issue from the side of the deposit. Imo since it allows the loss of value for a user it should be classified as a bug even if it is of moderate significance. The same is true for #33. both issues cn be resolved by increasing the base to account for the smallest units

@AndreiMVP
Copy link

I get losing a v small unit isn't perfect but it's not something I would worry about in practice since we're dealing with >= $1 stablecoins. So I don't see this as an issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AndreiMVP @geaxed @0xupbill