ck - Lender::rateLimit will revert for ERC20 tokens with greater than 27 decimals

[github-actions[bot]]

ck

medium

Lender::rateLimit will revert for ERC20 tokens with greater than 27 decimals

Summary

For ERC20 tokens with greater than 27 decimals, the rateLimit function will revert. This will prevent mint and lend from being executed even when the rateLimit has not been reached.

Vulnerability Detail

The rateLimit() function calculates the valueToMint as valueToMint = valueToMint * 10**(27 - IERC20(u).decimals());. For ERC20 tokens with greater than 27 decimals, there will be an underflow which will prevent mint and lend from being executed even when the rateLimit has not been reached.

https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Lender.sol#L1255-L1256

It should not be assumed that the decimals of ERC20 tokens will never be greater than 27 especially when interacting with external protocols that are dynamic.

Impact

For ERC20 tokens with greater than 27 decimals, there will be an underflow which will prevent mint and lend from being executed even when the rateLimit has not been reached.

Code Snippet

https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Lender.sol#L1255-L1256

        // Normalize the value to be minted to 27 decimals
        valueToMint = valueToMint * 10**(27 - IERC20(u).decimals());

Tool used

Manual Review

Recommendation

Replace valueToMint = valueToMint * 10**(27 - IERC20(u).decimals()); with

        if (IERC20(u).decimals()) <= 27 ) {
            valueToMint = valueToMint * 10**(27 - IERC20(u).decimals());
        } else {
            valueToMint = valueToMint / 10**(IERC20(u).decimals() - 27);
       }

[IllIllI000]

None of the tokens in the on-chain context have more than 27 decimals, so this seems Low

[sourabhmarathe]

We are aware of this and we do not feel that this is going to be an issue with any of our markets.

[hrishibhat]

Agree on this with Sponsor & Lead Watson. Considering this as low.