Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malt decimals inconsistency: StabilizerNode and DAO contracts use 18 as hard coded Malt decimals #175

Open
code423n4 opened this issue Nov 30, 2021 · 1 comment
Open

Malt decimals inconsistency: StabilizerNode and DAO contracts use 18 as hard coded Malt decimals #175

code423n4 opened this issue Nov 30, 2021 · 1 comment
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Handle

hyh

Vulnerability details

Impact

If Malt token be set to have lower decimals the incentives will be too big to be issued and DAO advance epoch and StabilizerNode auction start functions will fail, the system will have to be redeployed.

For example, if Malt was set to have 6 decimals like USDC, then 100*1e18 StabilizerNode defaultIncentive will be 100 trillions Malt.

Proof of Concept

Now some parts of the system use malt.decimals() (SwingTrader, UniswapHandler), some (StabilizerNode, DAO) use 18.

DAO advanceIncentive:

https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/DAO.sol#L60

StabilizerNode defaultIncentive:

stabilize function
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/StabilizerNode.sol#L145

calls _startAuction in low exchangeRate case, minting defaultIncentive * 10**18 = 100 * 1e18 Malt to the sender as a caller fee.
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/StabilizerNode.sol#L344

Recommended Mitigation Steps

If Malt decimals are meant to be set to 18, add a constant variable and use it across the system to save gas.

If the flexibility is desired malt.decimals() to be used, in a form of contract storage variable for gas optimization (decimals() can be saved to storage once on initialization, and read from there afterwards).
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Nov 30, 2021
code423n4 added a commit that referenced this issue Nov 30, 2021
@code423n4
hyh issue #175
44efbfb
@0xScotch 0xScotch added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Dec 8, 2021
@GalloDaSballo
Copy link
Collaborator

Because:

  • the sponsor confirmed
  • there are instance in the code where token.decimals() is used (adaptive)

I agree with he finding as it shows that some of the code is not consistently handling the possibility of having different decimals.

I believe the system as presented has no risk, however the warden has shown an improvement that is valid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @0xScotch @code423n4