The identified issue within the _convertDecimals function in the Shell Protocol could lead to a loss of value due to decimal truncation during token conversions. This situation is particularly critical in the context of Shell Protocol's operations, which involve managing various tokens with different decimal precisions. The truncation issue can result in small but accumulative discrepancies in user balances, affecting the accuracy and fairness of transactions within the protocol.
Proof of Concept
Let's consider an example with two users, Alice and Bob, interacting with the Shell Protocol:
Alice decides to convert her tokens with a high decimal precision (say, 18 decimals) to a token with lower precision (say, 2 decimals).
She has an amount of 1234.567890123456789 tokens to convert.
Using _convertDecimals, the converted amount becomes 1234.56, and the truncated part is 0.007890123456789.
While this seems minor in a single transaction, repeated conversions or larger amounts could lead to more significant losses for users like Alice.
Bob, on the other hand, may be conducting transactions that consistently round down, leading to a gradual decrease in his expected balances over time.
Tools Used
Recommended Mitigation Steps
Given the context of the Shell Protocol, the following specific steps are suggested to mitigate the impact:
Protocol-Specific Rounding Policy: Implement a rounding policy tailored to the Shell Protocol's operational model. This could involve rounding up to the nearest unit in certain scenarios or providing a mechanism to handle fractional remnants in a way that aligns with the protocol's objectives.
Balance Adjustment Mechanism: Develop a system within the protocol to track and adjust for lost value due to truncation. For example, creating a pool that accumulates fractional amounts and redistributes them under specific conditions.
Lines of code
https://github.com/code-423n4/2023-11-shellprotocol/blob/485de7383cdf88284ee6bcf2926fb7c19e9fb257/src/adapters/OceanAdapter.sol#L154-L157
Vulnerability details
Impact
The identified issue within the _convertDecimals function in the Shell Protocol could lead to a loss of value due to decimal truncation during token conversions. This situation is particularly critical in the context of Shell Protocol's operations, which involve managing various tokens with different decimal precisions. The truncation issue can result in small but accumulative discrepancies in user balances, affecting the accuracy and fairness of transactions within the protocol.
Proof of Concept
Let's consider an example with two users, Alice and Bob, interacting with the Shell Protocol:
Tools Used
Recommended Mitigation Steps
Given the context of the Shell Protocol, the following specific steps are suggested to mitigate the impact:
Protocol-Specific Rounding Policy: Implement a rounding policy tailored to the Shell Protocol's operational model. This could involve rounding up to the nearest unit in certain scenarios or providing a mechanism to handle fractional remnants in a way that aligns with the protocol's objectives.
Balance Adjustment Mechanism: Develop a system within the protocol to track and adjust for lost value due to truncation. For example, creating a pool that accumulates fractional amounts and redistributes them under specific conditions.
Assessed type
Decimal