Prime
contract incompatible with underlying assets differing from 18 decimals
#91
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-122
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/Prime.sol#L661
https://github.com/code-423n4/2023-09-venus/blob/b11d9ef9db8237678567e66759003138f2368d23/contracts/Tokens/Prime/PrimeLiquidityProvider.sol#L12
Vulnerability details
Description
The underlying assets of the core markets (
vToken
) of the Venus Protocol typically have 18 decimals on Binance Smart Chain, e.g. USDT, BNB, WETH. However, there are exceptions like the vUST market (also a core market) with the underlying UST token which has just 6 decimals.Moreover, the Venus Prime protocol extension seems to be developed and tested for underyling assets with 18 decimals only.
Issues:
1e18
and therefore implicitly allows faster assets distributions for assets having less than 18 decimals, see also PrimeLiquidityProvider._setTokenDistributionSpeed(...).vToken
) decimals instead of the underlying asset's decimals. This would be necessary to upscale the underlying capital allocation to 18 decimals for the subsequent score computation.(Please note that there is also an issue when markets (
vToken
) differ from 18 decimals, but this is discussed in a separate report.)Proof of Concept
In this case, it's better to immediately begin with the PoC in order to demonstrate the impacts.
The following diff changes the MATIC token (18 decimals) to the UST token (6 decimals) within all the
PrimeLiquidityProvider
integration test cases of thePrime
test file. Note that this also includes the reduction of all related values to 6 decimals, i.e. mints, approvals, transfers, limits, test assertions and the distributions speed.Running the modified
PrimeLiquidityProvider
integration test withnpx hardhat test tests/hardhat/Prime/Prime.ts
leads to 1 failed case:Impact
Closer examination of the failed test case reveals that the score and subsequently the interest computation are off by multiple orders of magnitude. The consequence is loss of yield for the user when interest is claimed.
In general, one can see that the Venus Prime protocol is not ready to work with all core markets of the Venus protocol.
Tools Used
Manual review
Recommended Mitigation Steps
Accounting for the underlying asset's decimals instead of the market's (
vToken
) decimals in Prime._calculateScore(...) fixes the issue and lets allPrime
cases pass.Assessed type
Decimal
The text was updated successfully, but these errors were encountered: