lucas-manuel
commented
3 years ago We are aware of this and will be evaluating newly onboarded tokens manually with this in mind. Not a bug.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago We are aware of this and will be evaluating newly onboarded tokens manually with this in mind. Not a bug.
Handle
janbro
Vulnerability details
Summary
Code is not technically ERC20 compliant.
Risk Rating
Low
Vulnerability Details
Loan.sol Line 511: return amt.mul(10 18).div(10 IERC20Details(address(liquidityAsset)).decimals()); Pool.sol Line 547: return amt.mul(WAD).div(10 liquidityAssetDecimals); LoanLib.sol Line 247: return amt.mul(10 18).div(10 ** liquidityAsset.decimals());
ERC20 tokens aren't guaranteed to implement ERC20Detailed standard on chain as it's optional. "OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present." See https://eips.ethereum.org/EIPS/eip-20#methods.
Impact
Some ERC20 tokens may not be supported.
Tools Used
Manual code review
Recommended Mitigation Steps
Acknowledge liquidity assets must implement decimals function.