Lines of code

Vulnerability details

Impact

Calculating share/token prices via bonding curves which involve mathematical operations like logs and divisions can introduce small rounding errors each time.

Over many transactions, these errors could accumulate and lead to pricing inconsistencies that undermine the bonding curve model.

Proof of Concept

• Bonding curves use math like logs, divisions to calculate prices

• Solidity only allows integer arithmetic, leading to truncation

• Truncation errors are small but accumulate over thousands of trades

• Co-uld lead to pricing model drifting from intended curve over time

  function getPriceAndFee(uint256 shareCount, uint256 amount)
      external
      view
      override
      returns (uint256 price, uint256 fee)
  {
      for (uint256 i = shareCount; i < shareCount + amount; i++) {
          uint256 tokenPrice = priceIncrease * i;
          price += tokenPrice;
          fee += (getFee(i) * tokenPrice) / 1e18;
      }
  }
  

For example, if price should be:

• 2.35 tokens
• But internal calculation is 2 tokens due to truncation
• Repeated thousands of times compounds the error

Tools Used

Manual Review

Recommended Mitigation Steps

Implement price calculation using fixed point math to track decimals

Assessed type

Math

The text was updated successfully, but these errors were encountered:

All reactions