Closed sherlock-admin2 closed 6 months ago
Invalid, the price I will be adjusted accordingly to meet decimal differences in the event that decimal of base token is smaller than quote token. All this consitute trusted admin actions. i.e. in your example , if DAI is the quote asset, I will be set to 1e30.
cawfree
high
GSPVault.sol
rounding errors due to mixed-precision assets results in theft of provisioned liquidity.Summary
Initializing a pool with a lower-precision base asset results in breakdown of pool invariant logic due to rounding errors.
Vulnerability Detail
Share calculation logic in the
GSPVault
operates on the implicit assumption that the number ofIERC20Metadata#decimals()
of the_BASE_TOKEN_
are greater than or equal number of decimals to the_QUOTE_TOKEN_
.However, this assumption is not enforced. In the following test, we'll create two
MockERC20
s:b
, with6
decimals of precision i.e. $USDC.q
, with18
decimals of precision i.e. $DAI.First, the
MAINTAINER
initializes a pool normally using these assets:If we analyze the internal state of the pool, we can see the following metrics:
This is to say, the
_QUOTE_TARGET_
has been incorrectly calculated due to rounding errors from the lesser precision of the base asset.Next let's initialize the
ATTACKER
, who requires only a single unit of quote asset:For the price of a single unit of the quote asset, the
ATTACKER
is able to completely drain the pool:Impact
The pool is drained, rendering the shares of liquidity worthless.
Code Snippet
Tool used
Visual Studio Code, Halmos
Recommendation
When initializing a pool, ensure the number of
decimals
of the base asset is greater than or equal to the number ofdecimals
in the quote asset.GSP.sol