Closed sherlock-admin3 closed 4 months ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because pending points are individually pid linked. Normalization outside the contract can always be worked out when air dropping
Avci
medium
the
SophonFarming.sol
contract assumes all tokens in the contract have 18 decimalsSummary
the
SophonFarming.sol
contract assumes all tokens in the contract have 18 decimals but we haveadd()
function in the contract to add new pools and new tokens to contract.Vulnerability Detail
all of the point calculations in the
SophonFarming.sol
contract in functions like_pendingPoints()
,_deposit()
,increaseBoost()
, andwithdraw()
assume all tokens have 18 decimal. all tokens in theinitialize()
function have 18 decimals but we have anadd()
function to add more pool. As I asked the sponsor they may add tokens that don't have 18 decimals likeUSDC
and it makes all calculations wrong in the system and can lead to wrong reward distribution.Impact
this issue can lead to unfair reward distribution and loss of points for some users.
Code Snippet
for exmaple lets check
_pendingPoints()
function.https://github.com/sherlock-audit/2024-05-sophon/blob/05059e53755f24ae9e3a3bb2996de15df0289a6c/farming-contracts/contracts/farm/SophonFarming.sol#L357-L384
Tool used
Manual Review
Recommendation
consider checking
decimal()
dynamically to support tokens with different decimals than 18.