Maia DAO Ecosystem - adeolu's results

Lines of code

https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L1340 https://github.com/code-423n4/2023-05-maia/blob/54a45beb1428d85999da3f721f923cbf36ee3d35/src/ulysses-omnichain/BranchBridgeAgent.sol#L1341

Vulnerability details

Impact

return _decimals == 18 ? _amount : _amount * (10 ** _decimals) / 1 ether;

_normalizeDecimals() is meant to convert tokens amounts with denomiated with decimals other than 18 to 18 decimals. Logic in _normalizeDecimals() of BranchBridgeAgent.sol gives wrong output when decimals is not 18. This leads to bad accounting in protocol. Tokens with other decimals other than 18, usdc for example are wrongly calculated.

The _normalizeDecimals() is used in the deposit related/briding functions when crossing chains in the protocol.

Proof of Concept

    function _normalizeDecimals(uint256 _amount, uint8 _decimals) internal pure returns (uint256) {
        return _decimals == 18 ? _amount : _amount * (10 ** _decimals) / 1 ether;
    }

The above code is snippet from the repo showing faulty logic.

Following above logic if we want to convert a 6 decimal value of usdc to 18 decimals, if we have 10 usdc that is 10_000_000 * (10**6) / 10**18. This will give a result of 0 since 1e13 /1e18 = 0. This means for a conversion of 10 usdc value, we register a value of 0.

Tools Used

VS CODE

Recommended Mitigation Steps

Change logic to

    function _normalizeDecimals(uint256 _amount, uint8 _decimals) internal pure returns (uint256) {
        return _decimals == 18 ? _amount : _amount * 1 ether / (10 ** _decimals) ;
    }

This way 10 usdc when converted to an 18 decimal value becomes 10_000_000 * 1e18 / 10 ** 6 = 10 * 1e18

Assessed type

Math