Tokens with decimals less than 18 are not supported
Summary
Users can create ERC20 pools with a quote or a collateral token than has less than 18 decimals but cannot deposit funds to such pools due to decimals rounding. This is only applicable to ERC721 pools, but only to the quote token.
Vulnerability Detail
When deploying an ERC20 pool via the factory, two scale values are calculated and recorded for the pool (ERC20PoolFactory.sol#L53-L54):
For example, if the quote token is USDC (which has 6 decimals), quoteTokenScale will equal to: 10 ** (18 - 6) = 10 ** 12 = 1e12.
When adding quote token to a pool via the addQuoteToken function, the input amount is rounded using the quoteTokenScale value (PoolHelper.sol#L234-L239):
function _roundToScale(
uint256 amount_,
uint256 tokenScale_
) pure returns (uint256 scaledAmount_) {
scaledAmount_ = (amount_ / tokenScale_) * tokenScale_;
}
For example, if user adds 1000 USDC as the quote token, the actual number of tokens to be deposited will equal to: (1000e6 / 1e12) * 1e12 = 0 USDC. Thus, no tokens will be deposited.
Impact
Users cannot add quote tokens (to ERC20 and ERC721 pools) and collateral tokens (to ERC20 pools) that have less than 18 decimals.
Consider scaling input amounts to 18 decimals if this is required by internal accounting. Alternatively, consider updating the documentation of addQuoteToken and addCollateral (for ERC20 pools) and specifying that input amounts must have 18 decimals.
Jeiwan
medium
Tokens with decimals less than 18 are not supported
Summary
Users can create ERC20 pools with a quote or a collateral token than has less than 18 decimals but cannot deposit funds to such pools due to decimals rounding. This is only applicable to ERC721 pools, but only to the quote token.
Vulnerability Detail
When deploying an ERC20 pool via the factory, two scale values are calculated and recorded for the pool (ERC20PoolFactory.sol#L53-L54):
For example, if the quote token is USDC (which has 6 decimals),
quoteTokenScalewill equal to:10 ** (18 - 6) = 10 ** 12 = 1e12.When adding quote token to a pool via the addQuoteToken function, the input amount is rounded using the
quoteTokenScalevalue (PoolHelper.sol#L234-L239):For example, if user adds 1000 USDC as the quote token, the actual number of tokens to be deposited will equal to:
(1000e6 / 1e12) * 1e12 = 0 USDC. Thus, no tokens will be deposited.Impact
Users cannot add quote tokens (to ERC20 and ERC721 pools) and collateral tokens (to ERC20 pools) that have less than 18 decimals.
Code Snippet
ERC20PoolFactory.sol#L53-L54 Pool.sol#L139 PoolHelper.sol#L247-L255
Tool used
Manual Review
Recommendation
Consider scaling input amounts to 18 decimals if this is required by internal accounting. Alternatively, consider updating the documentation of
addQuoteTokenandaddCollateral(for ERC20 pools) and specifying that input amounts must have 18 decimals.Duplicate of #123