Protocol assumes token will be only with 18 decimals
Summary
Currently the code assumes that all tokens, which are going to be used for collateral in the platform would be with 18 decimals, but this is not mandatory as long as we don't have ERC20 token restrictions for creating a pool.
This could lead to wrong LTV and eventually big misleading afterwards. Example of such a token is USDC that has 6 decimals only.
Vulnerability Details
If the collateral decimals are more than 18, we will probably we able to borrow an asset with a very small collateral amount. (Lower than the systems think it is)
Also if the collateral decimals are less than 18, the collateral provided by the borrower should be a way bigger than originally intended, so the borrow is valid.
Impact
Alice has a pool which lends DAI for USDC and max LTV is 75%, which means that if Bob wants to borrow 150 DAI, he should collateralize at least 200 USDC. But here is would be the result if we follow the current logic to calculate the LTV:
(150 * 10e18)/ 200 * 10e6 = 750 * 10^9 , instead of the expected 750 (LTV).
This means that if Bob wants to borrow $150 of DAI, he should provide at least around $2,000,000 USDC.
Is it worth it?
I don't think so
Tools Used
Manual Review
Recommendations
Dynamically calculate the LTV using decimals() of the collateral.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.