search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

Collaterals with decimals over than 18 can not be used #264

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/f3426e5b6b4561e09460b2e6471eb694efdd6c70/contracts/cash/CashManager.sol#L179

Vulnerability details

Impact

The protocol can not be used with some collaterals.

Proof of Concept

In the initialization process, the protocol calculates the decimalsMultiplier that are used later to convert from the collateral token amount to cash token amount.

CashManager.sol
179:     decimalsMultiplier =
180:       10 **
181:         (IERC20Metadata(_cash).decimals() -
182:           IERC20Metadata(_collateral).decimals());

This implementation reverts for the collaterals with decimals greater than 18 and the protocol can not support some collaterals, it is an unnecessary contract level restriction for the future expansion.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a new parameter to store the relationship between the two token decimals and use it properly for conversions.

c4-judge commented 1 year ago

trust1995 changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

trust1995 marked the issue as grade-b