c-01.md

[C-01] Missing asset decimal adjustment when calculating TVL

Severity

Impact: High

Likelihood: High

Description

When the TVL is being calculated in the VaultKerosene.sol contract the balance is multiplied with the oracle price, and adjusted with the oracle decimals.

https://github.com/DyadStablecoin/contracts/blob/37b4d8bbbb59de52b25056fa8b9759203fe2bc1d/src/core/VaultKerosene.sol#L113-L115

tvl += vault.asset().balanceOf(address(vault)) 
                        * vault.assetPrice()
                        / (10**vault.oracle().decimals());

However it does not adjust this based on the asset decimals. Furthermore, the assetPrice here is just a chainlink oracle, as seen in the vault implementations.

function assetPrice() public view returns (uint256) {
        (, int256 answer,, uint256 updatedAt,) = oracle.latestRoundData();
        if (block.timestamp > updatedAt + STALE_DATA_TIMEOUT) revert StaleData();
        return answer.toUint256();
    }

So if two vaults have wbtc and weth, they will have different decimals and different amounts. But their pricefeeds will return the same decimals. So they will return a different scale of prices.

Say both wbtc and eth are valued at 100 USD. So price feed returns 1e10 for both.

For 1e8 WBTC: tvl = 1e8 * 1e10 / 1e8 = 1e10

For 1e18 WETH: tvl = 1e18 * 1e10 / 1e8 = 1e20

So WBTC is massively undervalued.

Mitigation recommendation

Also adjust by asset decimals.

tvl += vault.asset().balanceOf(address(vault)) 
                * vault.assetPrice() * 1e18
                / (10**vault.asset().decimals()) 
                / (10**vault.oracle().decimals());