Skip to content
This repository has been archived by the owner on Dec 31, 2023. It is now read-only.

PRAISE - possible precision loss when calculating borrows in D3VaultLiquidation.liquidate() because of division before multiplication #43

Closed
sherlock-admin opened this issue Jul 1, 2023 · 0 comments
Closed

PRAISE - possible precision loss when calculating borrows in D3VaultLiquidation.liquidate() because of division before multiplication #43

sherlock-admin opened this issue Jul 1, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Jul 1, 2023
edited by github-actions bot
Loading

PRAISE

high

possible precision loss when calculating borrows in D3VaultLiquidation.liquidate() because of division before multiplication

Summary

D3VaultLiquidation.liquidate() divides before multiplying when calculating borrows

Vulnerability Detail

please take a look at the snippet below

 uint256 borrows = record.amount.div(record.interestIndex == 0 ? 1e18 : record.interestIndex).mul(info.borrowIndex);
//@audit it divides before multiplying

--- record.amount is divided by 1e18 if record.interestIndex == 0 or by record.interestIndex if it's != 0, then it's multiplied by info.borrowIndex

lets say:
record.amount = 5000,
record.interestIndex = 7,
record.borrowIndex = 5,

Now normal maths will have 5000 / 7 which will give 714.2857142857 then multiplying it by 5 = 3571.4285714285

But in solidity when we do 5000/7 we'll have 714 and not 714.285714285 because solidity truncates values when dividing, then multiplying by 5 we'll have 3570 instead of 3571.4285714285.

In the above instance there's a loss of about 1.428571428500163

Impact

  1. precision loss when calculating borrows in D3VaultLiquidation.liquidate()

  2. it might affect the require statement below it making it to revert in a situation where user puts his exact record.amount as debtToCover when calling D3VaultLiquidation.liquidate()

 require(debtToCover <= borrows, Errors.DEBT_TO_COVER_EXCEED);

because of the precision loss the borrows calculated will loss precision and be lesser than debtToCover.

  1. incorrect values will be updated here
 record.amount = borrows - debtToCover;

Code Snippet

https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/D3Vault/D3VaultLiquidation.sol#L53-L54

Also here
https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/D3Vault/D3VaultFunding.sol#L99

Tool used

Manual Review

Recommendation

look for a more efficient way to calculate borrows but don't divide before multiplying so as to avoid precision loss

Duplicate of #45
@github-actions github-actions bot closed this as completed Jul 5, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 5, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jul 24, 2023
@sherlock-admin3 sherlock-admin3 mentioned this issue Aug 3, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin