Missing check in PoolManager.addTranche()
if the decimals for a new tranch are <= MAX_CURRENCY_DECIMALS
can lead to stuck stable coins
#219
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-123
grade-a
low quality report
This report is of especially low quality
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-09-centrifuge/blob/512e7a71ebd9ae76384f837204216f26380c9f91/src/PoolManager.sol#L192-L212
Vulnerability details
Impact
It is possible to mint tranch tokens that have more than 18 decimals. This would break all calculations in
investmentManager
where values are converted from tranch token decimals to PRICE_DECIMALS and back and will lead to stuck stable coins in escrow.Proof of Concept
In
PoolManager
the constant of MAX_CURRENCY_DECIMALS = 18 is used to prevent adding stable coins to the allow list that have more than 18 decimals. When creating a new tranch and thereby setting the decimal of the future tranch token there is no such check, meaning that it is possible to create a tranch with decimals of more than 18. This would lead to a tranch token with more than 18 decimals. Since functions likeInvestmentManager._toPriceDecimals
depend on the decimals of the tranch token to be <=18, this functions will revert and will result use funds been stuck inEscrow
.Example:
If a pool has a tranch token with more than 18 decimals, users can still call
requestDeposite
and try to invest in the pool. By calling this function, their stable coins they want to deposit to the pool will be send to escrow and a message with the deposit request will be send to centrifuge. Once the epoch of the centrifuge pool is over, the deposit request will be processed by centrifuge and a message with the identifierhandleExecutedCollectInvest
will be send to the gateway. This message will callInvestmentManger.handleExecutedCollectInvest
which calls function call_toPriceDecimals
._toPriceDecimals
will revert with an underflow because it cannot handle the decimals of the tranch token that are bigger than 18.This means that the deposit of the user will never be finished and the stable coins that he sent to escrow will be stuck for ever.
Tools Used
Manual review
Recommended Mitigation Steps
Add a check to
PoolManager.addTranche()
that ensures that the decimals for the new tranch are <=MAX_CURRENCY_DECIMALS
Assessed type
Decimal
The text was updated successfully, but these errors were encountered: