defirisk.co
rubric v1.7.0

Mixed-decimals math without explicit scaling

Midas's assessment for RD-F-017 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Hacken Dec-2023 High finding F-2023-0292 'USD Tokens With Custom Decimals Are Not Handled Properly' was Accepted (not Fixed). This represents a live acknowledged decimal handling gap. DecimalsCorrectionLibrary.sol exists for normalization but the High finding was not remediated. Sherlock 2024-08 expanded token coverage (WBTC, USDC with different decimals) which may partially address the risk, but without full Hacken report content the residual gap is unverifiable. Yellow as an acknowledged high-severity decimal handling risk remains live.

Sources #

  • Audit
    Hacken Midas Audit Dec-2023Hacken Dec-2023 finding F-2023-0292 'USD Tokens With Custom Decimals Not Handled' — severity High, status Acceptedretrieved 2026-05-16
  • GitHub
    Sherlock 2024-08 ScopeSherlock 2024-08 scope includes WBTC/USDC multi-decimal tokensretrieved 2026-05-16

Methodology #

Determine whether shared numerator/denominator arithmetic operates over tokens with different decimals without WAD/RAY normalization or explicit decimal-adjustment.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-017 score yellow collected_at 2026-05-16 09:34:55