Watch out for copy-paste code

Sometimes developers copy and paste parts of code to reduce development time and speed up the process. Such actions can cause you serious problems in the future if your code is not reviewed by professionals. Take a look at the next snippet:

    function decodeWellData(bytes memory data) public view virtual returns (uint256[] memory decimals) {
        (uint256 decimal0, uint256 decimal1) = abi.decode(data, (uint256, uint256));
        // if well data returns 0, assume 18 decimals.
        if (decimal0 == 0) {
            decimal0 = 18;
        }
        if (decimal0 == 0) { //@audit
            decimal1 = 18;
        }
        if (decimal0 > 18 || decimal1 > 18) revert InvalidTokenDecimals();
        decimals = new uint256[](2);
        decimals[0] = decimal0;
        decimals[1] = decimal1;
    }

In the decodeWellData function, we can see that if the well data returns 0, a returned decimal of 18 is assumed as standard for the token. And as such, each decimals are scaled to that level. However, as can be seen from the @audit tag, to set a value “18” decimal1, the function incorrectly checks if decimal0 is 0, rather than checking if decimal1 is 0.

This means that regardless of the value returned for decimal1 from the decoding, it’s replaced with 18, even if token1 is a token with 6 decimals, or less than 18. As a result, the reserves will be potentially scaled with a decimal different from actual. Also, when decimal1 is 0, rather than scaling to a value of 18, it ignores this value and attempts to work with a value of 0 instead. As the function is used extensively, in the codebase, this can lead to serious price miscalculations.

Always revew you code and read bug reports:

Link: https://code4rena.com/reports/2024-07-basin#h-02-incorrectly-assigned-decimal1-parameter-upon-decoding