The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Different decimals of tokens leads to `costInEuros` will become `ZERO`

pavankv

Summary

Different tokens have different decimals like(USDT = 6 decimals , DAI = 18 decimals). If accepted tokens have 18 decimals it will always leads to costInEuro value to be ZERO.

Vulnerability Details

Let's look into the how costInEuros is determined in distributeAssets() function.

uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;
if (costInEuros > _position.EUROs) {
_portion = _portion * _position.EUROs / costInEuros;
costInEuros = _position.EUROs;
}

In the above code we can observe the calculation made to determine the costInEuros subtracting the asset token decimals with 18 typecast it to 18 decimals and used to further operation.

Take a scenario

  1. If asset tokens have 18 decimals (DAI.) then it leads to zero costInEuros variable.

  2. If asset tokens have lesser than 18 decimals(USDT = 6 , ) then it leads different output than expected

  3. If asset tokens have more than 18 decimals (YAMv2 = 24) then it leads to underflow errors.

Impact

Subtraction of 18 with assets.token decimals leads to various issue while calculating the costInEuros.

Tools Used

Manual View

Recommendations

Instead of subtraction we can directly utilize the asset.token.dec to calculation.

uint256 costInEuros = _portion * asset.token.dec * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate; //Check here @audit
if (costInEuros > _position.EUROs) {
_portion = _portion * _position.EUROs / costInEuros;
costInEuros = _position.EUROs;
}
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.