Description

The _startBounty and _endBounty functions in the SilicaPools contract calculates the bounty amount based on the collateral amount and the bounty fraction.

However, the collateral token could have a low decimal. In this case, the bounty amount is not expected to be calculated correctly because the bounty is divided by 10^18, which is hardcoded in the contract. It will be rounded to zero if the collateral token has a low decimal and the collateral amount is not large enough.

function _startBounty(PoolParams calldata poolParams) internal view returns (uint256 bounty) {
    bytes32 poolHash = hashPool(poolParams);
    ISilicaPools.PoolState storage sState = sPoolState[poolHash];

    uint256 collateral = sState.collateralMinted;

    // ...

!   bounty = (bountyFraction * collateral) / (10 ** 18);
}

function _endBounty(PoolParams calldata poolParams) internal view returns (uint256 bounty) {
    bytes32 poolHash = hashPool(poolParams);
    uint256 collateral = sPoolState[poolHash].collateralMinted;
    
    // ...

    uint256 bountyFraction =
        uncappedBountyFraction > sMaxBountyFraction ? sMaxBountyFraction : uncappedBountyFraction;

!   bounty = (bountyFraction * collateral) / (10 ** 18);
}

Impact

If the collateral token has a low decimal, the bounty amount will be calculated incorrectly. This means that the bounty system will not work as expected.

Recommendations

We recommend calculating the bounty amount based on the collateral token's decimal.

Remediation

This issue has been acknowledged by Alkimiya, and a fix was implemented in commit 6365dbe2↗.