Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 17/120
Findings: 1
Award: $690.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
690.3741 USDC - $690.37
In function asD::withdrawCarry(), it uses wrong scale factor (1e28) in the calculation of the maximum withdrawable NOTE, while the correct scale factor to be removed shall be 1e18. As a result, the owner can withdraw less interest than expected (meaning most interests are locked in cNote).
Check below code to calculate the maximum withdrawable NOTE in asD::withdrawCarry():
uint256 maximumWithdrawable = (CTokenInterface(cNote).balanceOf(address(this)) * exchangeRate) /1e28 -totalSupply();
CTokenInterface(cNote).balanceOf(address(this)) holds the decimals of cNote.decimals.exchangeRate holds the decimals of Note.decimals*1e18/cNote.decimals.
Based on 1,2, (CTokenInterface(cNote).balanceOf(address(this)) * exchangeRate) has the decimals of Note.decimals*1e18. As a result, in order to keep the Note.decimals for the calculated maximumWithdrawable, it shall remove the scale factor of 1e18 instead of 1e28.https://github.com/code-423n4/2023-11-canto/blob/486d0723d686964a6dacc93ae0e1876705b4aa6b/asD/src/asD.sol#L76 Correct 1e28 to 1e18.
Decimal
#0 - c4-pre-sort
2023-11-18T05:09:16Z
minhquanym marked the issue as duplicate of #227
#1 - c4-judge
2023-11-28T22:53:52Z
MarioPoneder changed the severity to 3 (High Risk)
#2 - c4-judge
2023-11-28T22:54:02Z
MarioPoneder marked the issue as satisfactory