PrivatePool.change does a call to changeFeeQuote() to calculate the fee amount.
It computes an exponent as ERC20(baseToken).decimals() - 4
File: src/PrivatePool.sol
731: function changeFeeQuote(uint256 inputAmount) public view returns (uint256 feeAmount, uint256 protocolFeeAmount) {
732: // multiply the changeFee to get the fee per NFT (4 decimals of accuracy)
733: uint256 exponent = baseToken == address(0) ? 18 - 4 : ERC20(baseToken).decimals() - 4;
This will revert for tokens with decimals less than 4.
EURS is an example of such token, as it has 2 decimals.
Impact
The change function is not available for pools with a baseToken with less than 4 decimals. This means reduced functionality available for such pools.
Tools Used
Manual Analysis
Mitigation
Either change the changeFeeQuote() functionality to work with tokens with less than 4 decimals, or ensure there is a check in Factory to prevent the creation of pools with a _baseToken with less than 4 decimals
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L733
Vulnerability details
PrivatePool.change
does a call tochangeFeeQuote()
to calculate the fee amount.It computes an
exponent
asERC20(baseToken).decimals() - 4
This will revert for tokens with decimals less than 4.
EURS
is an example of such token, as it has 2 decimals.Impact
The
change
function is not available for pools with abaseToken
with less than 4 decimals. This means reduced functionality available for such pools.Tools Used
Manual Analysis
Mitigation
Either change the
changeFeeQuote()
functionality to work with tokens with less than 4 decimals, or ensure there is a check inFactory
to prevent the creation of pools with a_baseToken
with less than 4 decimals