Ulysses AMM (Ulysses Pools and Ulysses Tokens) only supports tokens with 18 decimals, but Ulysses Omnichain accounting supports tokens with any decimals and converts them to 18 decimals.
But some instances in Ulysses Omnichain fails to convert/normalize such tokens.
Within Ulysses Omnichain calculations are done with tokens which might have different precision/decimals, this could lead to issues like transferring fewer or more tokens to users or reverts in some cases.
for instances:
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L442
function _updateStateOnBridgeOut(
address _sender,
address _globalAddress,
address _localAddress,
address _underlyingAddress,
uint256 _amount,
uint256 _deposit,
uint24 _toChain
) internal {
if (_amount - _deposit > 0) {//@audit _deposit should be normalized first
//Move output hTokens from Root to Branch
if (_localAddress == address(0)) revert UnrecognizedLocalAddress();
_globalAddress.safeTransferFrom(_sender, localPortAddress, _amount - _deposit);//@audit _deposit should be normalized
}
if (_deposit > 0) {
//Verify there is enough balance to clear native tokens if needed
if (_underlyingAddress == address(0)) revert UnrecognizedUnderlyingAddress();
if (IERC20hTokenRoot(_globalAddress).getTokenBalance(_toChain) < _deposit) {//@audit should be normalized first
revert InsufficientBalanceForSettlement();
}
IPort(localPortAddress).burn(_sender, _globalAddress, _deposit, _toChain);
}
}
This function takes two value input amount and _deposit from the Natspec comment amount is from the htoken which is known to be 18 decimals but _deposit can be any underlying token with different precision, these difference could cause multiple issues within these contracts.
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L442 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L249 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L275 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L277
Vulnerability details
Impact
From the contest description:
But some instances in Ulysses Omnichain fails to convert/normalize such tokens. Within Ulysses Omnichain calculations are done with tokens which might have different precision/decimals, this could lead to issues like transferring fewer or more tokens to users or reverts in some cases. for instances: https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L442
This function takes two value input
amount
and_deposit
from the Natspec commentamount
is from the htoken which is known to be 18 decimals but_deposit
can be any underlying token with different precision, these difference could cause multiple issues within these contracts.Proof of Concept
other instances of same issue. https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L249 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L275 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L277 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchPort.sol#L276 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/ArbitrumBranchPort.sol#L123 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/ArbitrumBranchPort.sol#L124 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/ArbitrumBranchPort.sol#L144 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/ArbitrumBranchPort.sol#L146 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchBridgeAgent.sol#L623 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/BranchBridgeAgent.sol#L979 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L451 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L454 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootBridgeAgent.sol#L460 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootPort.sol#L282 https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/RootPort.sol#L283
Tools Used
Manual Review
Recommended Mitigation Steps
Precision of both token should be consistent before performing operations on them. normalize the
_deposit
parameter before usage.Assessed type
Decimal