Code4renaCODE423N4:2022-03-BICONOMY-FINDINGS-ISSUES-174Reward and base token decimals difference isn't accounted for in LiquidityFarming
Vulnerability details
Impact
Reward and base token decimals can differ, while this difference isn’t accounted for in the reward amount calculations, which will lead to either missing rewards or sending the whole rewards balance to the first eligible user.
For example:
If reward is native, while base is USDC, then rewards are basically zero as 1 USDC is 1e-12 native token, so the USDC amount used as the base of reward calculation makes negligible the whole reward amount.
If reward is USDC, and base is native, the first reward amount due will most probably use the whole available balance.
Both cases will lead to losses of the rewards for the most of the LP users
Proof of Concept
LP shares saved in the LpTokenMetadata structure have the decimals of {18 + base token’s decimals}:
When shares are used in LiquidityFarming, their decimals are reduced to base token’s, for example:
However, this base token amount is then used to calculate reward amounts without decimals adjustment. In other words, rewardTokens[baseToken] is treated as if it is guaranteed to have the same decimals as baseToken:
This isn’t enforced in any way, the reward token for a given base token can be arbitrary:
If reward and base token’s decimals differ, the reward accounting can become grossly incorrect proportionally to the decimals difference
Recommended Mitigation Steps
Most common approach here is to add the token decimals variables to the contract and the decimals difference multiplier to the rewards calculations
The text was updated successfully, but these errors were encountered:
All reactions