Platform: Code4rena
Start Date: 28/09/2023
Pot Size: $36,500 USDC
Total HM: 5
Participants: 115
Period: 6 days
Judge: 0xDjango
Total Solo HM: 1
Id: 290
League: ETH
Rank: 80/115
Findings: 1
Award: $4.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Bauchibred
Also found by: 0x3b, 0xDetermination, 0xMosh, 0xScourgedev, 0xTheC0der, 0xTiwa, 0xWaitress, 0xdice91, 0xfusion, 0xpiken, 0xprinc, 0xweb3boy, ArmedGoose, Aymen0909, Breeje, Brenzee, Daniel526, DavidGiladi, DeFiHackLabs, Flora, Fulum, HChang26, Hama, IceBear, J4X, Krace, KrisApostolov, Maroutis, Mirror, MohammedRizwan, Norah, PwnStars, SPYBOY, TangYuanShen, Testerbot, ThreeSigma, Tricko, al88nsk, alexweb3, ast3ros, berlin-101, bin2chen, blutorque, btk, d3e4, deth, e0d1n, ether_sky, ge6a, gkrastenov, glcanvas, hals, imare, inzinko, jkoppel, jnforja, joaovwfreire, josephdara, kutugu, lotux, lsaudit, mahdirostami, merlin, n1punp, nadin, neumo, nisedo, nobody2018, oakcobalt, orion, peanuts, pep7siup, pina, ptsanev, rokinot, rvierdiiev, said, santipu_, sashik_eth, seerether, squeaky_cactus, terrancrypt, tonisives, twicek, vagrant, xAriextz, y4y
4.3669 USDC - $4.37
https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L661
The _calculateScore function in the contract may exhibit incorrect behavior when dealing with tokens that have a decimal precision greater than 18. This issue can lead to inaccurate score calculations, potentially impacting user assessments and decisions based on these scores.
function _calculateScore(address market, address user) internal returns (uint256) { uint256 xvsBalanceForScore = _xvsBalanceForScore(_xvsBalanceOfUser(user)); IVToken vToken = IVToken(market); ... capital = capital * (10 ** (18 - vToken.decimals())); return Scores.calculateScore(xvsBalanceForScore, capital, alphaNumerator, alphaDenominator); }
If a token has a decimal precision greater than 18 (e.g., 24 decimals like YAMv2), the adjustment in the code snippet above will not correctly account for the extra decimal places. This could lead to incorrect score calculations and potentially misrepresent the user's score.
Manual review
Modify the _calculateScore function to dynamically adjust the capital value based on the token's actual decimal precision. This can be achieved by using the token's decimals() function or by obtaining this information from a trusted source.
Decimal
#0 - c4-pre-sort
2023-10-05T19:49:57Z
0xRobocop marked the issue as duplicate of #486
#1 - c4-pre-sort
2023-10-06T00:53:46Z
0xRobocop marked the issue as not a duplicate
#2 - c4-pre-sort
2023-10-06T00:57:10Z
0xRobocop marked the issue as duplicate of #420
#3 - c4-judge
2023-11-01T16:12:25Z
fatherGoose1 marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2023-11-01T16:13:51Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-03T01:50:07Z
fatherGoose1 marked the issue as grade-b