Base Tokens in Pair Contract are Assumed to Have 1e18 decimals

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L391
https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L20

Vulnerability details

Description

The price() function in the Pair.sol contract is designed to calculate the current price of one fractional token in base tokens with 18 decimals of precision however, there is a flaw in the price implementation where tokens such as USDT or USDC have not been considered which are of 6 decimal places.

Impact

This was awarded a High in severity because if the base token for a pair is not of 18 decimal places, this may result in an immediate loss of funds or undeserved gains when calculating token prices. Since the price() function assumes that the base token reserves are of 18 decimal places, internal accounting may be deemed incorrect if a token such as USDC (1e6) was to be used as the base reserve token. Therefore, because the price of a base token is being multiplied by 1e18 and divided by the amount of fractional tokens, malicious actors may be able to deposit a minimal amount and withdraw a large amount of tokens which may result in financial loss for users invested in the pair. In addition to this, fractional tokens may appear to be worth more than they actually are.

Proof of Concept

https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L391

Recommended Mitigation Steps

It's recommended that when performing operations involving decimal precision, the base token reserves should be multiplied dynamically by using ERC20(baseToken).decimals() to cater for a wider range of tokens.

[c4-judge]

berndartmueller marked the issue as duplicate of #53

[c4-judge]

berndartmueller changed the severity to 2 (Med Risk)

[c4-judge]

berndartmueller marked the issue as satisfactory

[C4-Staff]

CloudEllie marked the issue as duplicate of #141