While Swapping One Token To Other via getAmountOut() Token Decimals Difference Are Not Taken To Consideration
Summary
Tokens Decimal Difference Should taken into consideration.
Vulnerability Detail
Here simply
. First sqrtPriceX96 get
. Then according to its value its Square calculated
. Then Multiplied with amountIn and Divided by 1 << 192 [This change according to situation, i'm considering first one]
But there is a issue here that token with different decimals not adjusted here
For simplicity let consider USDC/ETH pool
Price of ETH in term of USDC will = 1/P * 10**12
where P = (sqrtPrice/Q96)**2
where Q96 = 2**96
If we consider Below swapping code corresponding to above math equation,
P Calculation is satisfied But Decimal adjust is not
In above equation 10**12 simply exists because of Decimal difference between ETH and USDC
So code should implement this decimal adjustment case, As Protocol Readme Specify it supports USDC,USDT,WBTC,WETH, other wrapped native tokens, and general ERC20 standart with no deflation/inflation model
0xhacksmithh
medium
While Swapping One Token To Other via
getAmountOut()
Token Decimals Difference Are Not Taken To ConsiderationSummary
Tokens Decimal Difference Should taken into consideration.
Vulnerability Detail
Here simply . First
sqrtPriceX96
get . Then according to its value itsSquare
calculated . Then Multiplied withamountIn
and Divided by1 << 192
[This change according to situation, i'm considering first one]But there is a issue here that token with different decimals not adjusted here
For simplicity let consider
USDC/ETH pool
If we consider Below swapping code corresponding to above math equation,
P
Calculation is satisfied But Decimal adjust is notIn above equation 10**12 simply exists because of Decimal difference between ETH and USDC
So code should implement this decimal adjustment case, As Protocol Readme Specify it supports
USDC,USDT,WBTC,WETH, other wrapped native tokens, and general ERC20 standart with no deflation/inflation model
Impact
Swapping Amount will inaccurate
Code Snippet
https://github.com/sherlock-audit/2023-06-real-wagmi/blob/main/concentrator/contracts/Multipool.sol#L826-L837
Tool used
Manual Review
Recommendation
Apply token decimal adjustment feature
Duplicate of #138