Submission Details
Severity:
Wrong Calculation for Interest-Ratio If Different decimal token used
Summary
Using different decimal loan-collateral token may lead to wrong ratio calculation
Vulnerability Details
For example
uint256 loanRatio = (debt * 10 ** 18) / collateral;
if (loanRatio > pool.maxLoanRatio) revert RatioTooHigh();
with 10^8 decimal token may lead wrong calculation and lead to revert...
(500 * 10 **18 * 10 **18)/(500 * 10 **8)=> even if the ratio is 1 this calcuation will revert by ratio too high
test suit for the malfunction
function test_CantborrowWithLowDecimalToken() public {
vm.startPrank(lender1);
Pool memory p = Pool({
lender: lender1,
loanToken: address(loanToken),
collateralToken: address(collateralTokenwLowDec),
minLoanSize: 100*10**18,
poolBalance: 1000*10**18,
maxLoanRatio: 2*10**18,
auctionLength: 1 days,
interestRate: 1000,
outstandingLoans: 0
});
bytes32 poolId=lender.setPool(p);
(,,,,uint256 poolBalance,,,,) = lender.pools(poolId);
assertEq(poolBalance, 1000*10**18);
vm.startPrank(borrower);
Borrow memory b = Borrow({
poolId: poolId,
debt: 100*10**18,
collateral: 100*10**8
});
Borrow[] memory borrows = new Borrow[](1);
borrows[0] = b;
vm.expectRevert(RatioTooHigh.selector);
lender.borrow(borrows);
}
Impact
Cant use tokens with low decimals in protocol for example USDC.
Tools Used
Foundry test suit
Recommendations
Using tokens with same decimals or creating decimal scaling logic
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628 USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.