Collateral token and Loan token(USDC) decimals could be different leading to incorrect collateralization ratio checks

Summary

In the collateralization ratio check only the raw amount of the tokens are checked and not their inherent values. This could lead to tokens with different decimals to bypass this check.

Root Cause

function _assertCollateralizationRatioAtLeastOneHundredPercent(
        uint256 collateralAmount,
        uint256 loanAmount
    ) private pure {
        if (collateralAmount < loanAmount) {
            revert CollateralizationRatioTooLow();
        }
    }

This check could be incorrectly passed when using different tokens. https://github.com/sherlock-audit/2024-09-predict-fun/blob/main/predict-dot-loan/contracts/PredictDotLoan.sol#L1238

Internal pre-conditions

No response

External pre-conditions

The CTF token and the LoanToken decimals/value are different.

Attack Path

Assume a CTF with decimals 18, and a LoanToken with decimals USDC(6 decimals) => this is valid since they are planning on using USDC on their platforms
This would lead to the check always passing since the loan.Amount will mostly be less than the collateral.Amount
For example: loan.Amount =1e10 ($10,000) and collateral.Amount = 1e18(which is basically only 1 CTF token). This loan will be allowed to be made when it should not have been.

Impact

Loans/proposals with less than 100% collateralization ratio can be created.

PoC

No response

Mitigation

During the check make sure to include the decimals of the tokens too.

sherlock-audit / 2024-09-predict-fun-judging

Petite Coconut Barracuda - Collateral token and Loan token(USDC) decimals could be different leading to incorrect collateralization ratio checks #314