M-02 MitigationConfirmed #30
Labels
confirmed for report
This issue is confirmed for report
mitigation-confirmed
MR-M-02
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
Vulnerability details
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/compoundv3/CTokenV3Collateral.sol#L56
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/compoundv3/CusdcV3Wrapper.sol#L46
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/compoundv3/CusdcV3Wrapper.sol#L236
Vulnerability details
A discrepancy was found within the CTokenV3Collateral contract concerning
_underlyingRefPerTok()
. The original implementation utilized theerc20Decimals
from theCusdcV3Wrapper
contract (instead ofcomet.decimals()
) which resulted in inaccurate conversions due to decimal misalignment with the underlying Comet token.Mitigation
PR #889
The sponsor took the mitigation steps to resolve the issue by replacing
erc20Decimals
withcomet.decimals()
ensuring the correct decimal precision is utilized in_underlyingRefPerTok()
with an added measure to cachecomet.decimals()
for gas optimization.Conclusion
The mitigation has been successfully implemented and reviewed, addressing the initial vulnerability concerning the incorrect decimal precision in
_underlyingRefPerTok()
of theCTokenV3Collateral
contract. This modification ensures that the conversion ratio between collateral and reference units is accurately computed moving forward.The text was updated successfully, but these errors were encountered: