search

code-423n4 / 2023-07-amphora-findings

3 stars 2 forks source link

Tokens with decimals larger than 18 are not supported #253

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/VaultController.sol#L341-L342

Vulnerability details

Vulnerability details

When register a tokens some tokens have larger decimals than 18

https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/core/VaultController.sol#L342C1-L343C1


    uint8 _tokenDecimals = IERC20Metadata(_tokenAddress).decimals();
    if (_tokenDecimals > MAX_DECIMALS) revert VaultController_TooManyDecimals();

when calling the IERC20Metadata some token have larger decimals than 18.

Chainlink feeds' with decimals > 18 are not supported neither: https://github.com/code-423n4/2023-07-amphora/blob/main/core/solidity/contracts/periphery/oracles/ChainlinkStalePriceLib.sol#L11-L15

  function getCurrentPrice(AggregatorV2V3Interface _aggregator) internal view returns (uint256 _price) {
    (, int256 _answer,,,) = _aggregator.latestRoundData();
    if (_answer <= 0) revert Chainlink_NegativePrice();
    _price = uint256(_answer);
  }

Tools Used

Manual Review

Recommended Mitigation Steps

Consider checking if decimals > 18 and normalize the value by div the decimals difference.

Assessed type

ERC20

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #151

c4-judge commented 1 year ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

dmvt marked the issue as grade-a