search

code-423n4 / 2021-08-floatcapital-findings

0 stars 0 forks source link

Markets cannot be initialized with payment tokens of few decimals #126

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The LongShort._seedMarketInitially function requires a minimum funding of 1e18 initialMarketSeedForEachMarketSide synthetic tokens which is then used to compute the amountToLockInYieldManager = initialMarketSeedForEachMarketSide * 2 payment tokens. But not all tokens have 18 decimals. In case of using USDC (6 decimals) or WBTC (8 decimals) as the payment token, this would require 2*10^12 USD or 2 * 10^10 WBTC * 40,000 USD/WBTC = 8 * 10^14 USD of initial capital which is too high for almost anyone to pay.

Impact

Markets with different decimals cannot be initialized as they would require a seed investment of over a billion USD.

Recommendation

Incorporate the payment token decimals into the equation. Either in require(initialMarketSeedForEachMarketSide >= 10**(paymentTokens[marketIndex].decimals()), "Insufficient market seed") or keep the initialMarketSeedForEachMarketSide in 1e18 but convert the amountToLockInYieldManager to an equivalent decimals value. For example, amountToLockInYieldManager = 2 * initialMarketSeedForEachMarketSide * 10**paymentToken.decimals() / 1e18

JasoonS commented 3 years ago

0 not-critical

Another of the many erc20 token issues that isn't valid.

TLDR - warden didn't read readme.

0xean commented 3 years ago

agree with sponsor on downgrading to non-critical based on the intended use of the contracts