ChilizWrappedERC20::initialize function doesnt allow tokens with 18 decimals
Summary
ChilizWrappedERC20::initialize function is used to create a wrapper for an underlying token
However this function only allows tokens less than 18 decimals leaving unable to use the majority of existing tokens because 18 decimals is the most common configuration.
Vulnerability Detail
The vulnerability exists in ChilizWrappedERC20::initialize because it rejects tokens with 18 decimals, the most common configuration for decimals (WETH for example has 18 decimals, some stablecoins like DAI too and even a wrapped chilliz has 18 decimals), so this made unable tokens with this decimals in swap.
This is due to the following check in ChilizWrappedERC20::initialize
function initialize(IERC20 _underlyingToken) external {
// ... snippet
if (_underlyingToken.decimals() >= 18) revert InvalidDecimals();
So, if the underlyingToken has 18 decimals it will revert with InvalidDecimals
Impact
The impact of this vulnerability includes:
Not be able to use underlying tokens with 18 decimals.
Possibly loss of market share because it will be unable to swap this tokens.
Some non wrapped tokens live deployed on chiliz with 18 decimals are:
Change restriction in ChilizWrappedERC20::initialize function to be able to use tokens with 18 decimals.
Ie change decimals check from >= to > in initialize
function initialize(IERC20 _underlyingToken) external {
if (msg.sender != factory) revert Forbidden();
if (_underlyingToken.decimals() > 18) revert InvalidDecimals(); // <@ CHANGE >= to >
if (address(underlyingToken) != address(0)) revert AlreadyExists();
cryptonoob
high
ChilizWrappedERC20::initialize function doesnt allow tokens with 18 decimals
Summary
ChilizWrappedERC20::initialize function is used to create a wrapper for an underlying token
However this function only allows tokens less than 18 decimals leaving unable to use the majority of existing tokens because 18 decimals is the most common configuration.
Vulnerability Detail
The vulnerability exists in ChilizWrappedERC20::initialize because it rejects tokens with 18 decimals, the most common configuration for decimals (WETH for example has 18 decimals, some stablecoins like DAI too and even a wrapped chilliz has 18 decimals), so this made unable tokens with this decimals in swap. This is due to the following check in ChilizWrappedERC20::initialize
So, if the underlyingToken has 18 decimals it will revert with InvalidDecimals
Impact
The impact of this vulnerability includes:
https://chiliscan.com/token/0x1257C62822B6A0736245F88E55347e780ca60206
https://chiliscan.com/token/0x1257C62822B6A0736245F88E55347e780ca60206
https://chiliscan.com/token/0x63B68eD1E75bCf1884464085eaa3a39c62eC8677
https://chiliscan.com/token/0xC2C42d279b15E0f305216826dfec977DFfC3d074
https://chiliscan.com/token/0x3e483d4382aC9aEC472afB170C7C12a10867a775
The following PoC shows how trying to use a token with 18 decimals will revert Create this test in test sub dir:
Execute with
Observe it will revert
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/utils/ChilizWrappedERC20.sol#L18-L21
Tool used
Manual Review
Recommendation
Change restriction in ChilizWrappedERC20::initialize function to be able to use tokens with 18 decimals. Ie change decimals check from
>=
to>
in initializeDuplicate of #7