token conversions are incorrect in Stability Pool
Summary
Incorrect conversion of rToken to deToken.
Vulnerability Details
its should be returnd same R token deposited after burning de token. But here its not returned same R token after burning de token due to incorrect conversion.
This function returns minting amount of de token for a given R token.
This returns , receiving R token amount due to burn de token.
Consider deTokenDecimals and rTokenDecimals are different 6 and 18 respectivly.
Consider user stake 1e18 R token , its minting,
scalingFactor = 10**(18 + 6 - 18) = 10^6
deToken(mint) = 1e18 * 10^6 / 1e18 = 10^6
If user burn same deToken(10^6) amount user should be recived initial deposit amount(1e18).
When burning 10^6 deToken ,
scalingFactor = 10**(18 + 18 - 6) = 10^30
Rtoken(mint) = 10^6 * 1e18/10^30 = 10^24/10^30 which round off to zero . But it should be returned 1e18 R token.
This meaning token conversion is not properly done. Reason for this is , used different scalingFactor for two token conversion. Use same scalingFactor comparing with higher decimal and lower decimals , since its needed to prevent negative power in scalingFactor.
Impact
Token conversion is incorrect.
Tools Used
Manual Review
Recommendations
Use same scalingFactor comparing for both cases.
Lead Judging Commences
Incorrect scaling factor formula in StabilityPool::calculateRcrvUSDAmount function
Both tokens have 18 decimals. Info
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.