Closed code423n4 closed 1 year ago
similar to #468 but in a different part of the codebase.
chechu marked the issue as sponsor disputed
The maths seems correct. It should be taken into account that exchangeRate has a different number of decimals depending on the underlying decimals. Example:
—- the pen & paper numbers:
—- now applying the formulas coded in the contract, numerator: 300 1.1 1e18 denominator: 0.068 1e28 ratio: _div(300 1.1 1e18 , 0.068 1e28) = (300 1.1 1e8) / 0.068 seizedTokens: mul_ScalarTruncate((300 1.1 1e8) / 0.068 , 105 1e18) = 509,558 1e8 vTRX
given the exchange rate (1e16), and the formula underlying = mul_ScalarTruncate(exchangeRate, vTokens), 509,558 1e8 vTRX are 509,558 1e6 TRX (atoms). The same amount calculated with pen & paper
0xean marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-venus/blob/main/contracts/Comptroller.sol#L1084-L1112
Vulnerability details
Impact
The total number of tokens to be seized could be wrongly calculated if the underlying assets of
vTokenBorrowed
&vTokenCollateral
have a different decimals.Proof of Concept
The price returned by the
ChainlinkOracle
contract of the Venus Protocol, the price is returned in the scale of 10 ^ (36 - underlying asset decimals))Example
That means, that the
priceBorrowedMantissa
will be scaled by a magnitude depending on the decimals of the underlying asset.Same for the
priceCollateralMantissa
, it will be scaled by a magnitude depending on the decimals of the underlying asset.The problem is when the two underlying assets uses different decimals, the two prices will be scaled up by a total different magnitude.
Then, in the rest of the math operations to estimate the seize tokens, any of the two prices are normalized in order to make the two magnitudes of the prices equals, so the tokens to be seized are estimated correctly.
Depending on the number of decimals of the two underlying assets, the calculated amount of tokens to be seized it might be either greater or lower than it really should be.
Tools Used
Recommended Mitigation Steps
The recommendation to prevent this issue is to normalize the amount of the two underlying assets before operating between the two, that means, when calculating the numerator and denominator, make sure to divide by 1e18 so the two values are now scaled by the same magnitude.
Assessed type
Math