Non-18-decimals collateral token breaks USD valuation (e.g. USDC=6), mispricing the health factor and causing insolvency
Non-18-decimals collateral token breaks USD valuation, leading to mispriced health factors and insolvency
Description
_get_usd_value hardcodes ADDITIONAL_FEED_PRECISION = 1e10 and divides by PRECISION = 1e18, which only produces a correct USD value when the collateral token has exactly 18 decimals and the feed has 8. Any collateral with a different number of decimals (e.g. USDC/USDT = 6, WBTC = 8) is valued off by orders of magnitude.
The protocol registers exactly two collateral tokens in the constructor with no per-token decimals lookup, so a 6-decimals token's amount is 1e12x too small and the position is valued at ~one-millionth of its real worth.
Risk
Likelihood:
High. Stablecoin engines are routinely deployed with USDC/WBTC-style collateral, and the constructor accepts any two token addresses. The First Flight's own setup uses standard tokens.
Impact:
High. Mispricing flows directly into _calculate_health_factor. A 6-decimals collateral is undervalued, so a depositor cannot mint against real value and a tiny price move triggers unfair liquidation; conversely a token with >18 decimals is overvalued, letting a user mint DSC far beyond their collateral and leaving the protocol undercollateralized / insolvent.
Proof of Concept
Deploy the engine with a 6-decimals collateral feed at $1; deposit 1000e6 (=$1000) and call get_account_collateral_value.
Recommended Mitigation
Normalize every collateral amount to 18 decimals using the token's decimals() before valuation.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.