Fast Khaki Raccoon
High
No decimal normalisation upon calling TokenRewards::depositFromPairedLpToken()
Upon calling TokenRewards::depositFromPairedLpToken(), we have the following code:
uint256 _amountOut = _token0 == PAIRED_LP_TOKEN ? (_rewardsPriceX96 * _amountTkn) / FixedPoint96.Q96 : (_amountTkn * FixedPoint96.Q96) / _rewardsPriceX96;The priceX96 is inverted if needed. However, there is no decimal normalisation done at any point during the function execution. Thus, if the paired LP token and the reward token are in different decimals, the result will be completely incorrect.
NOTE: The reward token and the paired LP token being in different decimals is completely expected. The developer has mentioned in a public channel that USDC will be used which has 6 decimals.
No response
No response
TokenRewards::depositFromPairedLpToken()is called and the paired LP token, USDC, has to be converted to an 18-decimal reward token- The amount out will be in 6 decimals which will result in a HUGE slippage allowed, practically the slippage protection will be non-existent
- The other scenario would be if the reward token has less decimals than the paired LP token, which will simply cause a revert
Theft of funds or reverts
No response
Convert the decimals accordingly