AccountFacet.Allocate() doesn't scale the inputted amount correctly, therefore failing to allocate enough funds, this is because allocated amounts are stored in 18 decimal units whereas the allocate() fails to adjust the amount allocated to 18 decimals before adding to state.
In a similar function; depositAndAllocate(); the appropriate checks were made and the allocate() was called with 18 decimals after deposit.
Root Cause
-Root cause is in AccountFacet.allocate() which doesn't adjust the allocated amount to 18 decimals before calling AccountFacetImpl.allocate
-the requisite adjustments were also not made in the AccountFacetImpl.allocate
Any users utilizing AccountFacet.allocate() to allocate 1000 USDC will end up only having 0.000000001 USDC allocated to their account, which is a very small fraction of their deposit. This might potentially lead to unexpected loss of funds due to the broken functionality if they rely on the accuracy of the outcome to perform certain actions dealing with funds/assets.
This case is similar to issues from from previous audit contest, the user expects to have full amount deposited and allocated, but ends up with only dust amount allocated, which can lead to unexpected liquidations (for example, user is at the edge of liquidation, calls Allocate to improve account health, but is liquidated instead). For consistency reasons, since this is almost identical to 222, should also be high.
Aycozzynfada
High
Allocate() is broken due to incorrect precision
Summary
AccountFacet.Allocate() doesn't scale the inputted amount correctly, therefore failing to allocate enough funds, this is because allocated amounts are stored in 18 decimal units whereas the allocate() fails to adjust the amount allocated to 18 decimals before adding to state.
In a similar function; depositAndAllocate(); the appropriate checks were made and the allocate() was called with 18 decimals after deposit.
Root Cause
-Root cause is in AccountFacet.allocate() which doesn't adjust the allocated amount to 18 decimals before calling AccountFacetImpl.allocate -the requisite adjustments were also not made in the AccountFacetImpl.allocate
Impact
Any users utilizing AccountFacet.allocate() to allocate 1000 USDC will end up only having 0.000000001 USDC allocated to their account, which is a very small fraction of their deposit. This might potentially lead to unexpected loss of funds due to the broken functionality if they rely on the accuracy of the outcome to perform certain actions dealing with funds/assets.
This case is similar to issues from from previous audit contest, the user expects to have full amount deposited and allocated, but ends up with only dust amount allocated, which can lead to unexpected liquidations (for example, user is at the edge of liquidation, calls Allocate to improve account health, but is liquidated instead). For consistency reasons, since this is almost identical to 222, should also be high.
PoC
https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacet.sol#L45-L64 https://github.com/sherlock-audit/2024-09-symmio-v0-8-4-update-contest/blob/main/protocol-core/contracts/facets/Account/AccountFacetImpl.sol#L38-L47 Below is the AcountFacet.allocate without the requisite adjustments
whereas with depositAndAllocate(), the amount was adjusted before calling AccountFacetImpl.allocate
Mitigation
Scale the amount to internal accounting precision (18 decimals) before passing it AccountFacetImpl.allocate