Borrowers with Tokens having less than 18 decimals can borrow more or less than intended by the protocol accounting..
Summary
Borrowers with Tokens having less than 18 decimals can borrow more or less than desired.
essentially breaking the platform and stealing its funds.
Vulnerability Details
In function borrow :
the ratio is calculated by multiplying with 10**18 decimals
assuming we have the collateral token and loan token having 18 decimals.
But that's not the case.
Take the example of the Most popular ERC20 tokens at the time of this writing USDC,USD and other popular ERC20 tokens.
They have 6 decimals.
And some tokens might have more than 6 or even more than 18 decimals
because it is not compulsory to have 18 decimals as of now.
Trading these tokens will cause a discrepancy in the expectations
which will essentially break the accounting of the platform
and let Either Borrower( collateral token has more decimals than loan Token ) or Lender ( collateral token has less decimals ) suffer Monetary loss.
Impact
-> Monetary Loss
-> Breaking the Protocol inner accounting to function properly
Tools Used
Manual Review, Foundry
Recommendations
Handle decimals properly while calculating the tokens to award or to take.
Thanks
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.