0xPwnd - Incorrect Conversion Functions Leading to Inaccurate Token and USD Calculations

[sherlock-admin3]

0xPwnd

High

Incorrect Conversion Functions Leading to Inaccurate Token and USD Calculations

Summary

The functions usdToToken and tokenToUsd in CalUtils.sol fail to accurately convert between USD and tokens due to incorrect handling of decimals. This inaccuracy can lead to financial discrepancies across various parts of the protocol that rely on these conversions.

Vulnerability Detail

Scenario: Converting USD to Token Context:

• tokenUsdAmount = 100 USD (8 decimals) => 100 * 10^8
• tokenDecimals = 18
• tokenPrice = 1 USD (8 decimals) => 1 * 10^8
• PRICE_TO_WEI = 10^10 Calculation ( (100 * 10 8) ( 10 18) ) / (108 10 10) => 100 * 10*8 which wrong as the expected result is 100 10 ** 18

Scenario: Converting Token to USD Context:

• tokenAmount = 100 (18 decimals) => 100 * 10^18
• tokenDecimals = 18
• tokenPrice = 1 USD (8 decimals) => 1 * 10^8
• PRICE_TO_WEI = 10^10 Calculation ( ( 100 10^18 ) ( 1 10^8 10^10 ) ) / 10^18 => 100 10^18 which wrong as the expected result is 100 10^8

Impact

-Incorrect conversion rates can cause users to receive incorrect token amounts or USD equivalents. -Multiple functions relying on these conversions may exhibit erratic behavior, potentially leading to financial losses or incorrect collateral/liquidation calculations.

Code Snippet

https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/utils/CalUtils.sol#L76-L78 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/8a1a01804a7de7f73a04d794bf6b8104528681ad/elfi-perp-contracts/contracts/utils/CalUtils.sol#L92-L98

Tool used

Manual Review

Recommendation

modify the calculation formula to assure correct conversion to/from usd

[creat3xai]

Hello, is there a reason why this one was excluded the library is not in scope but it has a flaw in the conversion and it's used by multiple contracts in scope as per the rules this should be valid for verification and it should be in scope In case the vulnerability exists in a library and an in-scope contract uses it and is affected by this bug this is a valid issue. please someone check this and thank you.

[0xELFi]

In our system, we set the precision of the USD value to 18 decimal places, and the precision of token denominations does not support exceeding 18 decimal places. uint256 public constant USD_PRECISION = 10 ** 18;