Category: Coding Mistakes
Incorrect calculation of share_proportion
Medium Impact
Medium Severity
High Likelihood
Description
An incorrect calculation exists when calculating share_proportion in execute_deposit.
As of the time of writing, the calculation is asset_amounts * BPS_BASE / deposit_amounts. However, this calculation will not properly calculate the percentage of the deposit. In the current situation, the number of users is divided by the total number of tokens, so the exact ratio is not calculated.
// meridian_executor/executor.move
public entry fun execute_deposit(
// Standard deposit params
nonce: u256,
market_hash: address,
// Meridian specific params
pool_obj: Object<Pool>
) acquires ExecutorController, SmartSigner {
// [...]
vector::for_each(simple_map::keys(&depositor_map), |depositor_eth_address| {
// Determine the proportion of the deposit that the user contributed to the pool
let deposit_amounts = *simple_map::borrow(&depositor_map, &depositor_eth_address);
let share_proportion = math64::mul_div(*vector::borrow(&asset_amounts, 0), BPS_BASE, *vector::borrow(&deposit_amounts, 0)); // NOTE: the proportion should be the same for first vs. second asset
let depositor_lp_token_share = math64::mul_div(lp_token_amount, share_proportion, BPS_BASE);
let depositor_refund_shares = vector::map_ref(&refund_assets_amounts, |amount| math64::mul_div(*amount, share_proportion, BPS_BASE));
// [...]
});
// [...]
}Impact
Due to the incorrect calculation, depositor_lp_token_shares and depositor_refund_shares are also incorrectly calculated. This means that the correct values will not be deposited.
Recommendations
For an accurate calculation, it should be deposit_amounts * BPS_BASE / asset_amounts.
Remediation
This issue has been acknowledged by Echelon, and a fix was implemented in commit 03b432fd↗.