search

code-423n4 / 2022-08-frax-findings

2 stars 1 forks source link

Decimals limitation limits the tokens that can be used #200

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L539

Vulnerability details

Impact

Decimals limitation limits the tokens that can be used.

Proof of Concept

Let's give some name to the decimals of certain numbers: n = decimals of numerator oracle. d = decimals denominator oracle. a = decimals of the asset. c= decimals of the collateral.

now, the oracleNormalization = 10 ^(18 + n - d + a - c). And here: https://github.com/code-423n4/2022-08-frax/blob/main/src/contracts/FraxlendPairCore.sol#L536 , price has decimals of 36 + n -d, so here() when we calculate _exchangeRate = _price / oracleNormalization; it would underflow and revert if a >18 +c. And that's a pretty big limitation on the tokens options. We have USDC which have 6 decimals so all the tokens the their decimals < 24 are not possible to use in this system (with USDC together).

Tools Used

Recommended Mitigation Steps

DrakeEvans commented 2 years ago

Known issue, prevents certain combinations of tokens from being deployed. No high risk as no deployment will occur. No funds at risk, no incorrect functionality. Low at best.

gititGoro commented 2 years ago

This hasn't been listed as a known issue so it can't be marked invalid but since deployments can't occur, it's a medium severity.