Pool will undervalue or overvalue tokens taken as collateral with different decimals values
Summary
Pool that comprises tokens with different decimals will undervalue or overvalue the LP Pool tokens. As a result, users might be liquidated prematurely or be able to borrow more than they are allowed. Also, the pool settlement process might break.
Vulnerability Details
The problem arises when every transfer or transferFrom of underlying tokens basically blocking all functions in for the token, since the contract wrongly assumes balances values.
Impact
When valuing the secondary balance in terms of the primary token, the result should be scaled up or down the decimals of the primary token accordingly if the decimals of the two tokens are different.
Contract Lender.sol calculates collateral in the borrow() by using decimals 18 (1e18) for ERC20 tokens. This leads to wrong rewards calculations and effectively loss of funds for all pools that will be using ERC20 tokens with different decimals than 18.
Tools Used
Manual code Review
Recommendations
It is recommended to add support for different number of decimals than 18 by dynamically checking decimals() for the tokens that are part of the rewards calculations. Alternatively if such a support is not needed, new require statements should be added to addToPool() line 182 that will be checking that the number of decimals for all ERC20 tokens is 18.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.