code423n4 commented 2 years ago

Handle

0x1f8b

Vulnerability details

Impact

Wrong computation for tokens with decimals different than 18.

Proof of Concept

The contract FarmingPools assume that the stacking token has 18 decimals for the reward computation, it must be checked this decimals or the logic could be unpredictable.

The methods rewardPerToken and earned use 1e18 in order to remove or add the decimal values.

Affected source:

contracts\farming\FarmingPools.sol:82, 91

Tools Used

Manual review.

Recommended Mitigation Steps

Check that the contract has 18 decimals or change the logic

ColaM12 commented 2 years ago

The reward token is OLEToken. See contracts/gov/OLEToken.sol

0xleastwood commented 2 years ago

Reward token is OLEToken.sol and uses 18 decimals.

code-423n4 / 2022-01-openleverage-findings