search

sherlock-audit / 2024-06-mellow-judging

7 stars 3 forks source link

sandy - Vault contract can't handle ``USDC/USDT`` tokens. #267

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 4 months ago

sandy

High

Vault contract can't handle USDC/USDT tokens.

Summary

Vault contract can't handle USDC/USDT tokens or other tokens less than 18 decimals.

Vulnerability Detail

As per the readme:

In src/oracles/ChainlinkOracle.sol, the priceX96 function does not take into account IERC20(base).decimals() and IERC20(token).decimals() when converting. For the current deployment, this is not a problem because the system operates with tokens from the set [weth, wsteth, steth].

weth, wsteth, steth are all 18 decimals tokens but for tokens like usdt/usdc which has 6 decimals, the calculation will be incorrect in the priceX96 function.

Vault contract uses priceX96() function here and here and using tokens with <18 decimals for depositing will lead to inflated priceX96 value calculation which ultimately leads to more lpAmount being minted for depositing.

Impact

If tokens with less than 18 decimals are added as underlying tokens, the protocol won't be able to handle them resulting in incorrect accounting as pricex96 plays a huge role in lpAmount calculation while depositing and withdrawing.

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/oracles/ChainlinkOracle.sol#L80

Tool used

Manual Review

Recommendation

Modify the priceX96() function to properly scale for tokens with <18 decimals like usdc/usdt.

Duplicate of #160