Description
There's a rounding error in L2 Curation that allows for exploiters to pay zero tax while minting signal on subgraphs.
Attack
On L2Curation.sol when depositing less than 100 wei GRT the function tokensToSignal will calculate 0 tax to be paid because of a rounding down error:
uint256 curationTax = _tokensIn.mul(uint256(curationTaxPercentage)).div(MAX_PPM);
When MAX_PPM > _tokensIn.mul(uint256(curationTaxPercentage)) curation tax will be 0. While nobody will want to curate such small amounts it introduces the possibility for attackers to repeatedly exploit this vulnerability until they reach the desired signal without incurring in any tax deduction.
L1 Note
While the same code vulnerability exists on L1 the current protocol configuration has minimumCurationDeposit set to 1 GRT (equal to 1e18) so the round down to 0 will never happen.
Solution
We calculate the tax to be paid first and then calculate the amount of signal generated by subtracting the tax from the deposit tokens.
Description
There's a rounding error in L2 Curation that allows for exploiters to pay zero tax while minting signal on subgraphs.
Attack
On
L2Curation.solwhen depositing less than 100 wei GRT the functiontokensToSignalwill calculate 0 tax to be paid because of a rounding down error:When
MAX_PPM > _tokensIn.mul(uint256(curationTaxPercentage))curation tax will be 0. While nobody will want to curate such small amounts it introduces the possibility for attackers to repeatedly exploit this vulnerability until they reach the desired signal without incurring in any tax deduction.L1 Note
While the same code vulnerability exists on L1 the current protocol configuration has
minimumCurationDepositset to 1 GRT (equal to 1e18) so the round down to 0 will never happen.Solution
We calculate the tax to be paid first and then calculate the amount of signal generated by subtracting the tax from the deposit tokens.