Open code423n4 opened 3 years ago
balance
and balanceOfThis
mixes the usage of decimals by alternatingly using _normalizeDecimals
This can break accounting as well as create opportunities for abuse
A consistent usage of _normalizeDecimals
would mitigate
Handle
cmichel
Vulnerability details
The
Vault.balance
function uses thebalanceOfThis
function which scales ("normalizes") all balances to 18 decimals.Note that
balance()
's second termIController(manager.controllers(address(this))).balanceOf()
is not normalized. The code is adding a non-normalized amount (for example 6 decimals only for USDC) to a normalized (18 decimals).Impact
The result is that the
balance()
will be under-reported. This leads to receiving wrong shares whendeposit
ing tokens, and a wrong amount when redeemingtokens
.Recommended Mitigation Steps
The second term
IController(manager.controllers(address(this))).balanceOf()
must also be normalized before adding it.IController(manager.controllers(address(this))).balanceOf()
uses_vaultDetails[msg.sender].balance
which directly uses the raw token amounts which are not normalized.