Issue with valuation in situations where the token decimal is not 188
Summary
The different contracts in src/protocols assume that all token contracts will have a decimal of 18 which is usually not the case and would result in serious undervaluation of assets in a case where it is lower and could also be exploited.
DIFFERENT EXAMPLES
Source: L24-L26 in AssetToken.sol contract:
uint256 private s_exchangeRate; uint256 public constant EXCHANGE_RATE_PRECISION = 1e18; uint256 private constant STARTING_EXCHANGE_RATE = 1e18;
This s_exchangeRate was used in the function to show the value of the asset token per the underlying and assumes that both tokens supposedly have 18 decimals which is often not the case, and would also result in an overvaluation/undervaluation which can be exploited.
Source: L143 -144
s_feePrecision = 1e18; s_flashLoanFee = 3e15;
This would also result in an issue in situations where the token has less than 18 decimals.
Impact
In situations like this, an attacker can use a flashloan while depositing little funds and drain the protocol for a larger amount.
Tools Used
Manual review
Recommendations
Consider adding a check for the decimals of each token.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.