Closed code423n4 closed 3 years ago
This is a misunderstanding of our fixed point math; we could have used 10, 12, 20 or any other number of decimals. It doesn't care what the denomination of the number is; it simply shifts it 18 decimal places to improve the accuracy of fractions.
We used 18 because it's a familiar number, plenty accurate, and is easy to format.
Per sponsor's explanation, closing.
Handle
tensors
Vulnerability details
Impact
The functions in FixedMath assume the tokens you are working with have 18 decimals. It looks like all yield sources currently use 18 decimals, new tokens added need to be checked.
Proof of Concept
https://github.com/pooltogether/fixed-point/blob/c513c2da18aa5f8787cb84befdb7da9e4a52ae2b/contracts/FixedPoint.sol#L33
https://github.com/pooltogether/fixed-point/blob/c513c2da18aa5f8787cb84befdb7da9e4a52ae2b/contracts/FixedPoint.sol#L59
https://github.com/pooltogether/aave-yield-source/blob/bc65c875f62235b7af55ede92231a495ba091a47/contracts/yield-source/ATokenYieldSource.sol#L145-L149
Dividing by the wrong scale can lose tokens if the number of decimals is <18. If the number of decimals is >18, then the decimals past the 18th digit will be truncated to 0, but this typically doesn't matter.
Recommended Mitigation Steps
Generalize the variables used (1e18) in FixedMath, or double check decimals with new team members before adding yield sources.