defirisk.co
rubric v1.7.0

Divide-before-multiply pattern

A code & audits factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor runs the Slither divide-before-multiply detector on the protocol's deployed verified source code and records whether the detector fires on any function handling token amounts, exchange rates, or share calculations. The divide-before-multiply pattern -- where a division is performed before a multiplication that depends on the intermediate result -- causes precision loss that can be exploited to extract value by rounding the attacker's favor repeatedly.

**Why it matters** Integer arithmetic in Solidity is fixed-point with no fractional representation. Dividing before multiplying causes the intermediate result to lose precision, and when this precision loss is consistent (e.g., always rounding down for the user, never for the protocol), an attacker can repeatedly exploit the rounding to extract small amounts per transaction at scale. The pattern appears in approximately seven documented hacks in the T-01 evidence inventory. It is particularly dangerous in exchange rate calculations where shares-to-assets conversions are called millions of times by users.

**Green / Yellow / Red** Green: the Slither divide-before-multiply detector reports no findings on the deployed verified source, or all findings are in non-financial computation paths confirmed by curator review. Yellow: findings exist in peripheral calculation paths (e.g., fee calculations with small absolute impact) but not in core exchange rate or collateral accounting functions. Red: the detector fires on a core exchange rate, share price, or collateral accounting function that directly affects user fund calculations.

**Common gray cases** This factor cannot be graded when the protocol's source is not verified on any explorer. It is gray for protocols written in Vyper or Yul where the Slither Solidity detector does not apply reliably.

Measurement what to look for #

Determine whether Slither's `divide-before-multiply` detector fires on the deployed verified source.

Data & output #

Data source
Slither `divide-before-multiply` detector on Etherscan-verified source
Output format
Green / Yellow / Red
Evidence artifact
Slither output JSON + flagged function list
Confidence signal
green = 0 findings; yellow = findings in non-critical paths only (dismissed by curator); red = finding in price/accounting path; gray = source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-016
Aave v3 ethereum green Across Protocol ethereum yellow Aerodrome Finance base green Axelar Network ethereum yellow Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum green Concrete ethereum gray Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum gray deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum green Ethena ethereum green ether.fi ethereum gray Euler V2 ethereum yellow Falcon Finance ethereum gray Fluid ethereum gray Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum gray Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron not_applicable Kamino Lend solana yellow Kinetiq hyperliquid green Lido ethereum gray Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum gray M^0 ethereum green Maple Finance ethereum green Marinade Finance solana gray Meteora solana gray mETH Protocol ethereum yellow Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum yellow OpenEden ethereum gray Orca solana gray PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon gray QuickSwap polygon yellow Raydium solana green Rocket Pool ethereum gray Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum gray StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 15 yellow · 26 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-016 category 1 carried 80 critical no