The _doSherX function does not return the correct precision of sherUsd and it is not the "Total amount of USD of the underlying tokens that are being transferred" that the documentation mentions.
sherUsd = amounts[i].mul(sx.tokenUSD[tokens[i]]);
Instead, the amount is inflated by 1e18, it should divide the amount by 1e18 to get a USD value with 18 decimal precision.
The severity is low as the calling site in payout makes up for it by dividing by 1e18 in the deduction computation.
We still recommend returning the correct amount in _doSherX already to match the documentation and avoid any future errors when using its unintuitive return value.
Handle
cmichel
Vulnerability details
The
_doSherXfunction does not return the correct precision ofsherUsdand it is not the "Total amount of USD of the underlying tokens that are being transferred" that the documentation mentions.Instead, the amount is inflated by
1e18, it should divide the amount by1e18to get a USD value with 18 decimal precision.The severity is low as the calling site in
payoutmakes up for it by dividing by1e18in thedeductioncomputation.We still recommend returning the correct amount in
_doSherXalready to match the documentation and avoid any future errors when using its unintuitive return value.