Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krot-0025 - User may lost funds if they input wrong data in exchangeRateNumerator and exchangeRateDenominator #278

Open
sherlock-admin2 opened this issue Nov 17, 2024 · 0 comments
Open

krot-0025 - User may lost funds if they input wrong data in exchangeRateNumerator and exchangeRateDenominator #278

sherlock-admin2 opened this issue Nov 17, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Nov 17, 2024
edited by sherlock-admin3
Loading

krot-0025

Medium

User may lost funds if they input wrong data in exchangeRateNumerator and exchangeRateDenominator

Summary

When the user invest using the function invest() they input the data in the InvestParams where there is a field of exchangeRateNumerator and exchangeRateDenominator which helps in calculating fees and stable amount before and after fees. It can lead to loss of fund if they are depositing 6 decimal tokens and using exchange Rate as 18 decimal value. It will result in loosing funds for them. As if the data is incorrectly filled then Ex:

  • Suppose user wants to 2 tokens which means 2 * 10**6
  • But user enters exchangeRateNumerator and exchangeRateDenominator as 10 ** 18 decimals
  • Now after the calculation preFeeStableAmountEquivalent becomes 2 * 10 ** 24 and postFeeStableAmountEquivalent will becomes 0.1 * 10 ** 18
  • So As we can see user will invest 2 tokens but the stable amount will be only 0.1 which will result in loss for the user.

Root Cause

There should be a check that the user entering the data in the InvestParam while investing using the function invest(). We can check the decimal token of the user which they are going to invest and we should match it with the exchangeRate values if it's correct then only they can process the transaction otherwise it should revert or it should show error.
https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/main/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol#L141-L205

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

User will loose funds if the data is incorrectly filled in the InvestParams while calling invest()
Loss of funds because of incorrect InvestParams.

PoC

No response

Mitigation

Try checking the decimal of the token along with the decimal amount entered in exchangeRateNumerator and exchangeRateDenominator in InvestParams.
@sherlock-admin3 sherlock-admin3 changed the title Radiant Seafoam Carp - User may lost funds if they input wrong data in exchangeRateNumerator and exchangeRateDenominator krot-0025 - User may lost funds if they input wrong data in exchangeRateNumerator and exchangeRateDenominator Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2