Closed code423n4 closed 3 years ago
As noted in the readme
TokenX = 18 decimals, price precision = 18 decimals
TokenY = 8 decimals, price precision = 28 decimals
TokenZ = 6 decimals, price precision = 30 decimals
Does this fix the issue?
After discussing this finding with the warden it was concluded this is a non-issue.
marking as invalid
Handle
cmichel
Vulnerability details
The
_doSherX
function computes the burned SherX tokensdeduction
as:This seems to only work if
tokens[i]
has 18 decimals, as the computation gives a precision of:If
tokens[i]
has a precision of less than 18 (like USDC/USDT), fewer tokens will be burned breaking the accounting as the USD pool per SherX price decreased drastically.Recommendation
Assuming
tokenUSD
is always in 18 decimals (I could not figure this out as this parameter is only set from off-chain), and all listed tokens always have <= 18 decimals, multiplydeduction
by10**(18-tokenIDecimals)
to receive the amount in SherX tokens.