Users who have shares in vaults with lower decimals receive less rewards

Summary

Users who hold shares in vaults with fewer tokens receive reduced rewards because each Lender's shares have the same decimal precision as the underlying token.

Vulnerability Detail

The protocol implements a reward system that calculates rewards for shareholders based on their staked amount and duration.

userState.earned += uint112((balance * (accumulated - userState.checkpoint)) / 1e16);

The issue stems from the decimals of both the vault and the underlying token not being standardized to 1e18.

function _accumulate(PoolState memory poolState) private view returns (uint144) {
    unchecked {
        uint256 deltaT = block.timestamp - poolState.lastUpdated;
        return poolState.accumulated + uint144((1e16 * deltaT * poolState.rate) / exp2(poolState.log2TotalSupply));
    }
}

Even though the delta accumulated is multiplied by 1e16, the log2TotalSupply and the earned values are in decimals of the underlying token multiplied by 1e16.

Impact

Users participating in vaults with underlying tokens of lower precision will receive significantly reduced rewards, resulting in potential loss of earnings.

Code Snippet

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Rewards.sol#L95-L97

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Rewards.sol#L114-L126

https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/libraries/Rewards.sol#L140-L145

Tool used

Manual Review

Recommendation

Consider standardizing all reward calculations to 1e18 based on the decimals of the underlying token in each vault using the following formula: accumulated * (10^18 * (1e18 - token.decimals())).

Duplicate of #137

sherlock-audit / 2023-10-aloe-judging

OxZ00mer - Users who have shares in vaults with lower decimals receive less rewards #148