Division before Multiplication May Result In No Interest Being Accrued #97
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/vaults/NFTVault.sol#L590-L595
Vulnerability details
Impact
There is a division before multiplication bug in
NFTVault._calculateAdditionalInterest()
which may result in no interesting being accrued and will have significant rounding issues for tokens with small decimal places.This issue occurs since an intermediate calculation of
interestPerSec
may round to zero and therefore the multiplication byelapsedTime
may remain zero.Furthermore, even if
interestPerSec > 0
there will still be rounding errors as a result of doing division before multiplication and_calculatedInterest()
will be understated.This issue is significant as one divisor is 365 days = 30,758,400 (excluding the rate). Since many ERC20 tokens such as USDC and USDT only have 6 decimal places a numerator of less 30 * 10^6 will round to zero.
The rate also multiplies into the denominator. e.g. If the rate is 1% then the denominator will be equivalent to
1 / rate * 30 * 10^6 = 3,000 * 10^6
.Proof of Concept
The order of operations for the interest calculations
totalDebtAmount
settings.debtInterestApr.numerator
settings.debtInterestApr.denominator
365 days
elapsedTime
If the intermediate value of
interestPerSec = 0
then the multiplication byelapsedTime
will still be zero and no interested will be accrued.Excerpt from
NFTVault._calculateAdditionalInterest()
.Recommended Mitigation Steps
This issue may be resolved by performing the multiplication by
elapsedTime
before the division by the denominator or365 days
.The text was updated successfully, but these errors were encountered: