Skip to content
This repository has been archived by the owner on Sep 17, 2023. It is now read-only.

Bahurum - Collateral ratio calculation is incorrect if collateralToken isn't in 18 decimals #193

Closed
sherlock-admin opened this issue Mar 13, 2023 · 0 comments
Closed

Bahurum - Collateral ratio calculation is incorrect if collateralToken isn't in 18 decimals #193

sherlock-admin opened this issue Mar 13, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 13, 2023
edited by github-actions bot
Loading

Bahurum

high

Collateral ratio calculation is incorrect if collateralToken isn't in 18 decimals

Summary

Some calculations in the contracts are incorrect if the collateral token has less or more than 18 decimals.
Since the protocol wants to add other yield bearing tokens in the future, this will cause large losses of funds if the token doesn't have 18 decimals.

Vulnerability Detail

The function _computeCR() in TauMath.sol will give an incorrect collateral ratio if the collateral token doesn't have 18 decimals.

For example, if the collateral token XYZ has 8 decimals and the price feed has 8 decimals, the debt is 1000 TAU, and the collateral is 1000 XYZ and the price is 1 XYZ = 1 TAU, then

uint256 newCollRatio = (_coll * _price * Constants.PRECISION) / (_debt * 10 ** priceDecimals) = (1000 * 1e8 * 1e8 * 1e18) / (1000 * 1e18 * 10**8) = 1e8

The value expected is 1e18 but the calculation gives 1e8. This will cause the collateral ratio to be much smaller than expected leading to early liquidations of users.

If decimals is bigger than 18, then the collateral ratio will be much larger than expected, allowing users to take undercollateralized loan and steal TAU from the contract.

Impact

Loss of user funds due to collateral ratio larger or smaller than expected.

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Libs/TauMath.sol#L18-L19

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/BaseVault.sol#L406

Tool used

Manual Review

Recommendation

In TauMath.sol:

    function _computeCR(
        uint256 _coll,
        uint256 _debt,
        uint256 _price,
+       uint8 collDecimals,
+       uint8 debtDecimals,     
        uint8 priceDecimals
    ) internal pure returns (uint256) {
        if (_debt > 0) {
-           uint256 newCollRatio = (_coll * _price * Constants.PRECISION) / (_debt * 10 ** priceDecimals);            
+           uint256 newCollRatio = (_coll * _price * Constants.PRECISION * debtDecimals) / (_debt * 10 ** priceDecimals * collDecimals);

            return newCollRatio;
        }
        // Return the maximal value for uint256 if the account has a debt of 0. Represents "infinite" CR.
        else {
            // if (_debt == 0)
            return type(uint256).max;
        }
    }
}

In BaseVault:_calcLiquidation:

-       uint256 collateralToLiquidateWithoutDiscount = (_debtToLiquidate * (10 ** decimals)) / price;
+       uint256 collateralToLiquidateWithoutDiscount = (_debtToLiquidate * collateralToken.decimals() * (10 ** decimals)) / (price * debtToken.decimals());

Duplicate of #35
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Mar 21, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin