Flaky Jade Porcupine
High
Issue with minting of G$ tokens in some scenarios because of decimal calculation.
The protocol allows for permissionless minting of good dollar(G$) tokens when there is a difference between the contract reserve balance and the virtual balance through this function.
According to the contest READMe it says tokens are whitelisted and standard ERC20 is 'implied' also accross the codebase ERC20 tokens were scaled a lot of times so its safe to assume that the protcol will work with tokens with < 18 decimals. The vulnerability lies in the fact that the reserve contract actual balance is not scaled to 18 decimals against exchange.reservebalance the variable it's being subtracted with which is always scaled before operating on and stored. So when the token is < 18 decimals, this will bring up many issues including
- Contract reverting due to under flow which can DOS minting for a very long time especially if the decimal is low
- Lower amount of tokens being minted etc.
DOS of crucial function for an unpredictable time, wrong amount of tokens being minted
Manual Review
Scale the reserve balance before calculation