Closed sherlock-admin4 closed 4 months ago
Low/Info issue submitted by fyamf
All the calculations in the protocol are assuming that the decimal of lpTokens are 18, but when a new pool is added to the farm, it is not enforcing the decimal to be 18.
lpTokens
When a new pool is added to the farm, it is not checked that the new lpToken has decimal 18 or not. https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L153-L187
lpToken
This leads to incorrect calculations as the rewards are calculated assuming that the decimals of the lpTokens are 18.
Manual Review
Or modify the code as follows.
function updatePool(uint256 _pid) public { //..... pool.accPointsPerShare = pointReward * (10**poolInfo[_pid].lpToken.decimals) / lpSupply + pool.accPointsPerShare; //.... }
function withdraw(uint256 _pid, uint256 _withdrawAmount) external { //......... user.rewardSettled = userAmount * pool.accPointsPerShare / 1e18 * (10**poolInfo[_pid].lpToken.decimals) + user.rewardSettled - user.rewardDebt; //......... }
function _deposit(uint256 _pid, uint256 _depositAmount, uint256 _boostAmount) internal { //......... user.rewardSettled = userAmount * pool.accPointsPerShare / 1e18 * (10**poolInfo[_pid].lpToken.decimals) + user.rewardSettled - user.rewardDebt; //......... }
Not enforcing to have decimal 18
Low/Info issue submitted by fyamf
Summary
All the calculations in the protocol are assuming that the decimal of
lpTokens
are 18, but when a new pool is added to the farm, it is not enforcing the decimal to be 18.Vulnerability Detail
When a new pool is added to the farm, it is not checked that the new
lpToken
has decimal 18 or not. https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L153-L187This leads to incorrect calculations as the rewards are calculated assuming that the decimals of the
lpTokens
are 18.Impact
Code Snippet
Tool used
Manual Review
Recommendation
lpToken
has decimal 18.Or modify the code as follows.