roguereddwarf - Protocol breaks with collateral that does not have 18 decimals

[sherlock-admin]

roguereddwarf

medium

Protocol breaks with collateral that does not have 18 decimals

Summary

According to the Contest page, the protocol should work with any non-rebasing ERC20 token.
In particular this includes ERC20s with different decimals.

However the protocol treats all ERC20s the same without adjusting for their decimals.

I will show how this breaks the calculation of the collateralization ratio. But basically every calculation that has the collateral involved does not account for the fact that it might not have 18 decimals.

Vulnerability Detail

Let's consider the equation for the collateralization ratio:

uint256 newCollRatio = (_coll * _price * Constants.PRECISION) / (_debt * 10 ** priceDecimals);

Constants.PRECISION is a constant that is equal to 1e18.
Further assume the following values for a collateral with 18 decimals:
_coll=2e18, _price=1e18, _debt=1e18.

priceDecimals is the number of decimals of _price (price in USD).

When the collateral has 18 decimals, the formula works as expected. The result is 2e18.

But now assume the collateral has less than 18 decimals, say 16.
Then two collateral token would not be 2e18 but instead 2e16.
And the result of the equation would be 2e16.
So we have 1 USD of debt (1 TAU = 1e18) and have provided 2 USD of collateral.

The result of the function indicates that we are below the minimum collateralization ratio which is 1.2e18 (120%) even though it should be 200%.

Impact

Protocol breaks when collateral does not have 18 decimals.

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Libs/TauMath.sol#L11-L27

Tool used

Manual Review

Recommendation

Don't allow the protocol to be used with collateral that does not have 18 decimals or allow the creator of a Vault to specify the decimals of the collateral such that the formulas can account for it.

Duplicate of #35