Protocol assumes that all ERC20 tokens have 18 decimals. Accounting functions will be greatly impaired.
Vulnerability Detail
In Pool.sol contract it is thought that all EPC20 tokens are 18 decimal.
Not all tokens have 18 decimals, for example USDC have only six, this means that it will be dividing the amount by 18 but it should be only divided by 6.
If decimals is fixed at 18, there will be extreme accounting error.
Impact
Massive impact on interest rate calculation. Truncation to zero possible.
tsvetanovv
high
Wrong assumption, not all tokens have 18 decimals
Summary
Protocol assumes that all ERC20 tokens have 18 decimals. Accounting functions will be greatly impaired.
Vulnerability Detail
In Pool.sol contract it is thought that all EPC20 tokens are 18 decimal. Not all tokens have 18 decimals, for example USDC have only six, this means that it will be dividing the amount by 18 but it should be only divided by 6. If decimals is fixed at 18, there will be extreme accounting error.
Impact
Massive impact on interest rate calculation. Truncation to zero possible.
Code Snippet
https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L19
Tool used
Manual Review
Recommendation
We recommend the protocol scale the token decimal in different matter to make it compatible with token that has more or less than 18 decimals.
Duplicate of #72