Summary

The code consider the return decimals from price feed is always 8 decimals but there is some cases where the decimals is different, like AMPL/USDC which have 18 decimals, this can lead to users mint more or can't be liquidated.

Vulnerability Details

The code consider to use any kind of token to create a stable coin, from description we hare: "The system is meant to be such that someone could fork this codebase, swap out WETH & WBTC for any basket of assets they like, and the code would work the same." In case of one collateral token be AMPL, which returns 18 decimals from price feed, the calculation for getTokenAmountFromUsd and getUsdValue would be incorrect, leading the user to mint more than expected and can't be liquidated.

POC

The getUsdValue is used to get total value in USD in collateral that the user have, and further used to calculate the account health factor. The incorrect decimals calculation would leave the user with larger health factor, check the calculation:

The correct value would be 10e18 and not 10e28, the inflating value in USD leave the user with better health factor than expected.

Now, checking the getTokenAmountFromUsd function, this function is called in liquidate function to calculate the amount of collateral the liquidator will get from account.

The expected value here is 1e18 but the returned is 1e8, this means the liquidator will get less collateral than he should get and in some cases he would get nothing, just paying the liquidator debts

Impact

In case of one of collateral list is AMPL, the contract will be exposed to be exploited by AMPL holders.

Tools Used

Manual Review

Recommendations

Consider using the price feed decimals instead of a constant ADDITIONAL_FEED_PRECISION