At few places in the project the protocol is expecting that all tokens have 18 decimals, this is a wrong assumption.
A two token vault that comprises tokens with different decimals will have many of its key functions broken.
Vulnerability Detail
Not all tokens have 18 decimals, for example USDC have only six, this means that it will be dividing the amount by 18 but it should be only divided by 6.
Impact
If decimals is fixed at 18, there will be extreme accounting error.
If you want to only allow tokens with 18 decimals you could add a require in the constructor to safely assume that the tokens has 18 decimals or you could do extra math and based on decimals on debt token and collateral token.
tsvetanovv
high
Not all tokens have 18 decimals
Summary
At few places in the project the protocol is expecting that all tokens have 18 decimals, this is a wrong assumption. A two token vault that comprises tokens with different decimals will have many of its key functions broken.
Vulnerability Detail
Not all tokens have 18 decimals, for example USDC have only six, this means that it will be dividing the amount by 18 but it should be only divided by 6.
Impact
If decimals is fixed at 18, there will be extreme accounting error.
Code Snippet
https://github.com/sherlock-audit/2023-01-ajna/blob/main/contracts/src/ERC721Pool.sol#L541
Tool used
Manual Review
Recommendation
If you want to only allow tokens with 18 decimals you could add a require in the constructor to safely assume that the tokens has 18 decimals or you could do extra math and based on decimals on debt token and collateral token.
Duplicate of #123