frank-beard
commented
2 years ago the 18 decimals base value refers to the basket token decimals, not the decimals of the underlying tokens.
Closed code423n4 closed 2 years ago
frank-beard
commented
2 years ago the 18 decimals base value refers to the basket token decimals, not the decimals of the underlying tokens.
GalloDaSballo
commented
2 years ago Agree with sponsor that there is no enforcements at the decimal level.
If anything the risk is that the publisher can grief the values by setting them to arbitrary values, if that were the case though, users would just be able to opt out and decide not to settle the auction
Setting this as invalid as there's no POC of this actually breaking
Handle
leastwood
Vulnerability details
Impact
The defiProtocol platform expects all tokens to be 18 decimals, however, nowhere in the contracts is this behaviour enforced. As a result, if a publisher mistakenly publishes a new index with new tokens that don't conform to this standard,
settleAuction()calculations will be incorrectProof of Concept
https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Basket.sol#L170-L194 https://github.com/code-423n4/2021-09-defiProtocol/blob/main/contracts/contracts/Auction.sol#L96-L99
Tools Used
Manual Code Review
Recommended Mitigation Steps
Consider enforcing that all tokens in
publishNewIndex()conform to an 18decimalsstandard.