Closed sherlock-admin3 closed 1 month ago
Escalate
Out of scope.
Per contest README
Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)
A token that has decimals higher than 18 is a weird token. Since only standard ERC-20 tokens are in scope of this contest, the buggy line of code will never run.
Escalate
Out of scope.
Per contest
README
Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)
A token that has decimals higher than 18 is a weird token. Since only standard ERC-20 tokens are in scope of this contest, the buggy line of code will never run.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalate
This is a good issue and well done to everyone that found it.
Escalate
This is a good issue and well done to everyone that found it.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalate
This issue is valid. A token having more than 18 decimals does not make it not following the ERC20 standard. It is not defined anywhere that an ERC20 token must have a maximum of 18 decimals. See https://eips.ethereum.org/EIPS/eip-20. Otherwise, why is the possibility of having more than 18 decimals even coded in the protocol?
Escalate
Out of scope.
Per contest
README
Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)
A token that has decimals higher than 18 is a weird token. Since only standard ERC-20 tokens are in scope of this contest, the buggy line of code will never run.
Escalate
This issue is valid. A token having more than 18 decimals does not make it not following the ERC20 standard. It is not defined anywhere that an ERC20 token must have a maximum of 18 decimals. See https://eips.ethereum.org/EIPS/eip-20. Otherwise, why is the possibility of having more than 18 decimals even coded in the protocol?
Escalate
Out of scope.
Per contest
README
Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)
A token that has decimals higher than 18 is a weird token. Since only standard ERC-20 tokens are in scope of this contest, the buggy line of code will never run.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Escalate
This issue is valid. A token having more than 18 decimals does not make it not following the ERC20 standard. It is not defined anywhere that an ERC20 token must have a maximum of 18 decimals. See https://eips.ethereum.org/EIPS/eip-20. Otherwise, why is the possibility of having more than 18 decimals even coded in the protocol?
Escalate Out of scope. Per contest
README
Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)
A token that has decimals higher than 18 is a weird token. Since only standard ERC-20 tokens are in scope of this contest, the buggy line of code will never run.
High decimal (>18) tokens are in weird token category. And it`s simply OOS for this contest. https://github.com/d-xo/weird-erc20?tab=readme-ov-file#high-decimals
I think when we talk about standard tokens we're not simply referring to token that follow the eip. Some non-standard token adhere to the eip but are still weird , for example USDC follows the eip, no? but the sponsor still had to mention it explicitly because having 6 decimals make it non-standard and you have to treat it differently when integrating it into your protocol because of that.
So i believe non-18 decimal tokens actually classify as non-standard as they require special handling
All good points. I still think it is valid but will leave it to those who submitted it to defend it 😉
Spoke with the sponsor before submitting this issue, unsure of whether they considered tokens over 18
decimals were weird tokens. They confirmed there was a definite probability that the protocol would whitelist tokens over 18
decimals, which would be catastrophic.
Spoke with the sponsor before submitting this issue, unsure of whether they considered tokens over
18
decimals were weird tokens. They confirmed there was a definite probability that the protocol would whitelist tokens over18
decimals, which would be catastrophic.
Then they should not have said " only standard erc20 + usdc" 🤷🏼♂️
Currently, tokens over 18 decimals are considered non-standard, and the Readme states that only standard tokens will be used. Because of that, this issue is invalid.
Maybe in future contests, this rule for weird tokens will change a bit, and the sponsor will be asked to specify explicit weird traits of tokens they will use (decimals etc.)
Planning to accept @iamnmt escalation and invalidate the issue.
Result: Invalid Has duplicates
The protocol team fixed this issue in the following PRs/commits: https://github.com/sentimentxyz/protocol-v2/pull/318
hash
Medium
Incorrect decimal adjustment in
ChainlinkUsdOracle
Summary
Incorrect decimal adjustment in
ChainlinkUsdOracle
Vulnerability Detail
When adjusting for the decimals, the bracks are ommitted causing incorrect division
Eg: Decimals was 19, then instead of dividing by 10(19-18), the division will be performed by ~1019 itself. Casuing massive loss in the value
Impact
Incorrect valuation of assets breaking every calculation dependent on it, for eg: debt valuation,collateral valuation etc.
Code Snippet
https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/0b472f4bffdb2c7432a5d21f1636139cc01561a5/protocol-v2/src/oracle/ChainlinkUsdOracle.sol#L86
Tool used
Manual Review
Recommendation
Change to 10 ** (decimals - 18)