21 matches found
doInteraction() won't mint tokens to user if interaction.specifiedAmount less than 10**12 and has certain conditions
Lines of code Vulnerability details Impact If the user calls doInteraction and executes Interaction with specifiedAmount less than 10 12 and a big difference in token decimals, the user won't get any tokens. Proof of Concept Core external functions like doInteraction will call the internal...
Decimal Precision Issue in Price Calculations
Lines of code Vulnerability details Impact The getRSETHPrice function perform calculations like multiplying prices by amounts without considering the token decimals. This can cause errors to accumulate over multiple calculations. Ignoring token decimals when performing price calculations can caus...
Upgraded Q -> 2 from #385 [1699029474432]
Judge has assessed an item in Issue 385 as 2 risk. The relevant finding follows: L-03 UniV3Relayer contract works only with tokens of decimals = 18 Details When the UniV3Relayer contract is deployed; the multiplier state variable that’s going to be used to parse the price result from the aggregat...
accure interest function is likely failed to accure interest for token with low decimal
Lines of code Vulnerability details Impact loss of precision is too high when accuring interest Proof of Concept When intereste accures, we are calling uint256 interestAmount; uint256 interestRate = IIRMirm.getInterestRateaddressthis, trancheIndex, totalDeposit, totalBorrow; interestAmount =...
Incorrect Score calculation in Prime.sol
Lines of code Vulnerability details Impact Score is not calculated correctly; improperly high weight will be given to the staked XVS amount or the supply/borrow amount. Rewards accrued will not be properly calculated, so users may accrue too much or too little reward. Proof of Concept...
Upgraded Q -> 2 from #308 [1685704892606]
Judge has assessed an item in Issue 308 as 2 risk. The relevant finding follows: L-04 MINNONZEROTOTALSHARES of 1e9 could lead to stuck funds for underlying tokens with lower decimals in the future StrategyBase.solL28 uint96 internal constant MINNONZEROTOTALSHARES = 1e9; In the future, to support...
Upgraded Q -> 2 from #454 [1685704791672]
Judge has assessed an item in Issue 454 as 2 risk. The relevant finding follows: L-1 StrategyBaseMINNONZEROTOTALSHARES constant doesn't support tokens with 1e6 decimals The minimal value will be too high for tokens with 1e6 decimals USDT, USDC. 28: uint96 internal constant MINNONZEROTOTALSHARES =...
Does not support non-18 decimals token
Lines of code Vulnerability details Impact Hardcode 1e18 for calculating fees and rewards, can make the template protocoal non flexiable for the calculating...
Upgraded Q -> M from #351 [1674418158719]
Judge has assessed an item in Issue 351 as M risk. The relevant finding follows: Stable Vault cannot accept tokens with more then 18 decimals because of this lines: Consider using different conversion formula. For example: amount 1e18 / 10token.decimals for deposit and amount 10token.decimals /...
Upgraded Q -> M from #658 [1674423108320]
Judge has assessed an item in Issue 658 as M risk. The relevant finding follows: L-05 MARGIN ASSET TOKENS WITH MORE THAN 18 DECIMALS ARE NOT SUPPORTED As shown below, arithmetic operations of the StableVault.deposit, StableVault.withdraw, Trading.handleDeposit, and Trading.handleWithdraw function...
WithdrawProxy calculation error for tokens with decimals != 18 leads to claim reverting
Lines of code Vulnerability details withdrawRatio has 18 decimals 314: s.liquidationWithdrawRatio = proxySupply 315: .mulDivDown1e18, totalSupply 316: .safeCastTo88; 317: 318: currentWithdrawProxy.setWithdrawRatios.liquidationWithdrawRatio; But in WithdrawProxy.claim, transferAmount divides...
Token decimals may be above 18 leading to underflow issues
Lines of code Vulnerability details Impact In both StableVault and Trading, there is an assumption that token decimal amounts are =18. However this can break if token decimals are 18, resulting in underflow which can lead to unpredictable behaviors, and extreme amounts during deposits and...
Oracle's getPrice() returns the wrong price in certain combinations of oracle feed and token decimals
Lines of code Vulnerability details Impact The oracle's getPrice returns a price that is off by several orders of magnitued depending of the combination of decimals for the Chainlink's pricefeed and underlaying token's pricefeed Actually it based on the decimals set when adding the feed tot he...
Wrong reward calculation when reward token's decimals are different than 18
Lines of code Vulnerability details Impact When a user creates a pledge, she can specify the maximum amount of the Total Rewards and the maximum amount of fee amount she is willing to spend. By using the rewardPerVote, the vars.votesDifference and the vars.duration the smart contract calculates...
There is a problem with price calculation using BaseV1Pair._getAmountOut.
Lines of code Vulnerability details Impact Currently, it calculates token price with the amount of decimals here and normalizes using 1e18 after that. There are some irregular tokens with small decimals and the token price might be calculated wrongly. Proof of Concept As we can see here, some...
Tokens having more than 18 decimals are not supported
Originally submitted by warden pauliax in 173, duplicate of 49. Tokens having more than 18 decimals are not supported, the calculation will revert here: function decimalMultiplieraddress token internal view returns uint256 return 1018 - IERC20Fulltoken.decimals; --- The text was updated...
Reward and base token decimals difference isn't accounted for in LiquidityFarming
Lines of code Vulnerability details Impact Reward and base token decimals can differ, while this difference isn't accounted for in the reward amount calculations, which will lead to either missing rewards or sending the whole rewards balance to the first eligible user. For example: If reward is...
Yearn token <> shares conversion decimal issue
Handle cmichel Vulnerability details The yearn strategy YearnYield converts shares to tokens by doing pricePerFullShare shares / 1e18: function getTokensForSharesuint256 shares, address asset public view override returns uint256 amount if shares == 0 return 0; // @audit should divided by...
Underflow problems occurring when a token has >18 decimals
Handle tensors Vulnerability details Impact The contracts assume that all tokens will have =18 decimals. If the Tracer team are the only people deploying the contracts, and they keep this in mind, this isn't a problem. If the contracts are to be deployed by other people, this assumption should be...
No support for token with decimals > 18
Handle s1m0 Vulnerability details Impact The smart contract doesn't behave correctly if deployed with token that have decimals 18. Proof of Concept The functions tokenToWad and wadToToken revert if the tokenDecimals is 18. These functions are called in critical places like deposit and withdraw...