`Lender` is assuming that `loanToken` and `collateralToken` have the same decimals
Summary
When calculating the loanRatio the system assumes that the collateralToken has 18 decimals and that the loanToken has the same decimals of maxLoanRatio.
This assumption is incorrect because many ERC20 tokens do not use 18 decimals (Gemini USD use 2 decimals, USDC use 6 decimals, and so on).
This assumption could lead to the pool's misconfiguration, wrong calculation of the loanRatio and, as a consequence, the operation that involves the loanRatio > pool.maxLoanRatio check could revert or allow the borrower to over borrow.
Vulnerability Details
When calculating the loanRatio the system assumes that the collateralToken has 18 decimals and that the loanToken has the same decimals of maxLoanRatio.
This assumption is incorrect because many ERC20 tokens do not use 18 decimals (Gemini USD use 2 decimals, USDC use 6 decimals, and so on).
This assumption could lead to the pool's misconfiguration, wrong calculation of the loanRatio and, as a consequence, the operation that involves the loanRatio > pool.maxLoanRatio check could revert or allows the borrower to over borrow.
Impact
The operations that involve the loanRatio > pool.maxLoanRatio check could revert or allow the borrower to over borrow.
Tools Used
Manual
Recommendations
The protocol should:
Force the usage of only ERC20 tokens by reverting during the pool creation if the token has not 18 decimals
Rewrite the logic to handle tokens that could use different decimals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.