0xhacksmithh - While Swapping One Token To Other via `getAmountOut()` Token Decimals Difference Are Not Taken To Consideration

[sherlock-admin]

0xhacksmithh

medium

While Swapping One Token To Other via getAmountOut() Token Decimals Difference Are Not Taken To Consideration

Summary

Tokens Decimal Difference Should taken into consideration.

Vulnerability Detail

Here simply . First sqrtPriceX96 get . Then according to its value its Square calculated . Then Multiplied with amountIn and Divided by 1 << 192 [This change according to situation, i'm considering first one]

But there is a issue here that token with different decimals not adjusted here

For simplicity let consider USDC/ETH pool

Price of ETH in term of USDC will = 1/P * 10**12
where P = (sqrtPrice/Q96)**2
where Q96 = 2**96

If we consider Below swapping code corresponding to above math equation, P Calculation is satisfied But Decimal adjust is not

In above equation 10**12 simply exists because of Decimal difference between ETH and USDC

So code should implement this decimal adjustment case, As Protocol Readme Specify it supports USDC,USDT,WBTC,WETH, other wrapped native tokens, and general ERC20 standart with no deflation/inflation model

............
............
        uint160 sqrtPriceX96 = TickMath.getSqrtRatioAtTick(avarageTick);
        if (sqrtPriceX96 <= type(uint128).max) {
            uint256 ratioX192 = uint256(sqrtPriceX96) * sqrtPriceX96;
            swappedOut = zeroForOne
                ? FullMath.mulDiv(ratioX192, amountIn, 1 << 192) // @audit-issue decimal not adjusted here
                : FullMath.mulDiv(1 << 192, amountIn, ratioX192);

Impact

Swapping Amount will inaccurate

Code Snippet

https://github.com/sherlock-audit/2023-06-real-wagmi/blob/main/concentrator/contracts/Multipool.sol#L826-L837

Tool used

Manual Review

Recommendation

Apply token decimal adjustment feature

Duplicate of #138