Skip to content
This repository has been archived by the owner on Sep 3, 2023. It is now read-only.

peanuts - If the collateral token and loan token does not have the same decimal places, collateral ratio will be broken #136

Closed
github-actions bot opened this issue Mar 10, 2023 · 0 comments
Closed

peanuts - If the collateral token and loan token does not have the same decimal places, collateral ratio will be broken #136

github-actions bot opened this issue Mar 10, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

github-actions bot commented Mar 10, 2023
edited

peanuts

high

If the collateral token and loan token does not have the same decimal places, collateral ratio will be broken

Summary

If the collateral token and loan token does not have the same decimal places, collateral ratio will be broken.

Vulnerability Detail

The collateral ratio is calculated by taking the user's debt and dividing it by the user's collateral balance, and scaled to 1e18.

        uint userCollateralRatioMantissa = userDebt * 1e18 / collateralBalanceOf[msg.sender];

If userDebt (loan token) is BTC which has a decimal of 1e18 and collateral balance is USDC has a decimal of 1e6, then the collateral ratio will not be scaled to 1e18.

        require(userCollateralRatioMantissa <= _currentCollateralRatioMantissa, "Pool: user collateral ratio too high");

Since all the other state variables, like _currentCollateralRatioMantissa, is scaled to 1e18, the protocol will be broken if the collateral and loan token do not have the same decimals.

    /// @notice Gets the pool collateral ratio in mantissa (scaled by 1e18)
    /// @param _lastCollateralRatioMantissa The last collateral ratio of the pool in mantissa (scaled by 1e18)
    /// @param _maxCollateralRatioMantissa The maximum collateral ratio of the pool in mantissa (scaled by 1e18)
    /// @param _surgeMantissa The utilization at which the surge threshold is triggered in mantissa (scaled by 1e18)

If the decimals of loan token is lower than the decimals of collateral token, then user collateral ratio will always be lower than current collateral ratio, and the check below will always pass.

        require(userCollateralRatioMantissa <= _currentCollateralRatioMantissa, "Pool: user collateral ratio too high");

Impact

Protocol will be broken as comparing collateral ratio will not work as expected.

Code Snippet

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L474

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L433

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L206-L215

Tool used

Manual Review

Recommendation

Make sure the two tokens have the same decimal places before anything happens.

Duplicate of #122
@github-actions github-actions bot added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue labels Mar 10, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Mar 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin