search

code-423n4 / 2023-01-numoen-findings

0 stars 0 forks source link

Not all tokens have 18 decimals #166

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/main/src/core/ImmutableState.sol#L35

Vulnerability details

Vulnerability Detail

Wrong assumption, not all tokens have 18 decimals. It is assumed that the number of decimals for each token is 18, However it is possible to have tokens with more or less than 18 decimals. For example USDC have only six, this means that it will be dividing the amount by 18 but it should be only divided by 6.

Impact

This can result in incorrect calculations for tokens which don't use 1e18 decimal places.

Proof of Concept

ImmutableState.sol
35: token0Scale = 10 ** (18 - _token0Exp);
36: token1Scale = 10 ** (18 - _token1Exp);

Tool used

Manual Review

Recommendation

I recommend the protocol scale the token decimal in different matter to make it compatible with token that has more or less than 18 decimals.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid