Part 2

Note: there are several instances where vault's totalAssets() is interrogated and not properly scaled to ZAROS precision (18 decimal points, usually UD60x18 or UD59x18 representation).
Each of these instances have (most likely) high impact for the protocol and/or protocol's users.
This report describe only one such instance and links to the rest of them are added at the end.

Summary
Vault::getTotalCreditCapacityUsd returns a wrong USD amount for collateral assets with decimals < 18.
Vaults will report a highly diminished credit capacity.

Vulnerability Details

getTotalCreditCapacityUsd calculates the vault's credit capacity by multiplying vault's totalAssets by asset price.

Themul operation multiplies two UD60x18 numbers together, returning a new UD60x18 number.
The problem is that totalAssets is casted to ud60x18 type without scaling the amount to 18 decimal precision.
This will make the totalAssetsUsdX18 to be much smaller and the function will return a diminished credit capacity.

If the asset used is wBTC (8 decimals), the asset value will be diminished by 10**(18 - 8) times making the vault credit capacity close to zero.

Impact

Vault with tokens with decimal precision < 18 will not be used because their credit capacity is significantly reduced.

More instances of the same issue

• StabilityBranch::initiateSwap
  ctx.vaultAssetBalance is in native decimals and ctx.expectedAssetOut is the returned of getAmountOfAssetOut . This function computes the amountOut with 18decimal precision.
  User can't swap usdToken for vault's asset.

• StabilityBranch::getAmountOfAssetOut
  getPremiumDiscountFactor expects an UD60x18 type and makes operation with 18 decimal precision, but vaultAssetsUsdX18 has native decimals.
  DebtTvlRatio is heavely increased, decreasing the premiumDiscountFactorX18; The amuntOutX18 returned by getAmountOfAssetOut will be discounted.

Tools Used

Recommendations

Use convertTokenAmountToUd60x18 to convert total assets to ZAROS precision: