Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Wasabi Perps>Low findings>Loss of precision
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)
Low (4)Zero interest automatically changed to maximum Loss of precisionMissing length checkInitializers not disabled
Informational (2)
DiscussionLimited test coverageThe difficulty of analyzing code that relies on offchain components
Threat ModelWhat are threat models?BaseWasabiPool.solDebtController.solWasabiLongPool.solWasabiShortPool.solWasabiVault.sol
Audit ResultsSummary
Category: Coding Mistakes

Loss of precision

Low Severity
Low Impact
Low Likelihood

Description

The DebtController::computeMaxInterest function computes the maximum interest that a user should be charged given a position size, age, and principal. Currently, the principal address is ignored and only the position size and age are considered.

function computeMaxInterest(
    address,
    uint256 _principal,
    uint256 _lastFundingTimestamp
) public view returns(uint256 maxInterestToPay) {
    uint256 secondsSince = block.timestamp - _lastFundingTimestamp;
    maxInterestToPay = _principal * maxApy / APY_DENOMINATOR * secondsSince / (365 days);
}

The function divides an intermediate result by APY_DENOMINATOR before multiplying again by secondsSince.

Impact

Dividing before multiplying or adding is generally discouraged as it introduces unneeded roundings due to integer arithmetic. This could result in a slightly lower than intended maximum interest.

Recommendations

Consider changing the computation to divide after all multiplications are done.

-maxInterestToPay = _principal * maxApy / APY_DENOMINATOR * secondsSince / (365 days);
+maxInterestToPay = _principal * maxApy * secondsSince / (APY_DENOMINATOR * 365 days);

Remediation

This issue has been acknowledged by Wasabi, and a fix was implemented in commit c6d230cd.

Zellic © 2024Back to top ↑