Incorrect Precision in get_virtual_price() Calculation

[hats-bug-reporter]

Github username: --
Twitter username: --
Submission hash (on-chain): 0x994d521d911f2bd3bbc2b43c699b07b5427851838d5c5969f39690e96d595615
Severity: high

Description:
Description
The get_virtual_price() function in the StableSwapTwoPool.sol and StableSwapThreePool.solcontract calculates the virtual price of the pool's LP token using a precision of 1e18. This approach does not account for the actual decimals of the LP token, which leads to incorrect virtual price calculations.

function get_virtual_price() external view returns (uint256) {
    uint256 D = get_D(_xp(), get_A());
    uint256 token_supply = token.totalSupply();
    return (D * PRECISION) / token_supply; //@audit-incorrect precision,it should be D*token.decimals/token_supply
}

Attack Scenario
Lets understand issue with example:

• The invariant D is calculated as 1e18(as get_D returns scaled value i.e 1e18).
• The total supply of the LP token is (1e6).
• The LP token has 6 decimals.

Current Calculation:(INCORRECT)

uint256 virtualPrice = (D * PRECISION) / token_supply;
// virtualPrice = (1e18 * 1e18) / 1e6 = 1e36 / 1e6 = 1e30

Expected Calculation with Correct Decimals:

uint256 tokenDecimals = 6;
uint256 virtualPrice = (D * (10 ** tokenDecimals)) / token_supply;
// virtualPrice = (1e18 * 1e6) / 1e6 = 1e24 / 1e6 = 1e18

As we can see here the current implementation returns incorrect virtual price
Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

function get_virtual_price() external view returns (uint256) {
    uint256 D = get_D(_xp(), get_A());
    uint256 token_supply = token.totalSupply();
    uint256 tokenDecimals = IERC20Metadata(address(token)).decimals();
    return (D * (10 ** tokenDecimals)) / token_supply;
}

• By implementing this change, the function will correctly calculate the virtual price

[omega-audits]

The LP token is hardcoded to 18 decimals so this will never be an issue