search

code-423n4 / 2022-12-caviar-findings

2 stars 1 forks source link

Tokens are expected to have 18 decimals but not all have them #508

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/039095ee6b73709289d88cb99397e8b9028224c7/src/Pair.sol#L46 https://github.com/code-423n4/2022-12-caviar/blob/d3061461ca3f39330f791c0503ece2c657c8413d/src/LpToken.sol#L13

Vulnerability details

Tokens are expected to have 18 decimals but not all have them

Summary

Pairs doesn't consider tokens with less or more than 18 decimals

Impact

Tokens not compatible

Proof of Concept

https://github.com/code-423n4/2022-12-caviar/blob/039095ee6b73709289d88cb99397e8b9028224c7/src/Pair.sol#L46 https://github.com/code-423n4/2022-12-caviar/blob/d3061461ca3f39330f791c0503ece2c657c8413d/src/LpToken.sol#L13

Mitigation

Don't use hardcoded 18 decimals

Shungy commented 1 year ago

Seems invalid.

LP Token and fractional NFT token is created with 18 decimals. There is no "compatibility issue".

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Insufficient quality