Moonwell
Moonwell
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`MERC20DelegateMadFixer.sol:SweepAll` Sweeping 3 Different Tokens Without Specifying Decimals: Not Best Practice.

plair

[L-01] MERC20DelegateMadFixer.sol:SweepAll Sweeping 3 Different Tokens Without Specifying Decimals: Not Best Practice.

Description:

Referencing the documentation at https://docs.nomad.xyz/token-bridge/deployed-tokens/mainnet, we find that the following tokens have varying decimal precision:

Wrapped BTC: 8 decimals
Wrapped Ether: 18 decimals
USDC: 6 decimals

When using the balanceOf function, the returned balance of an address doesn't include any specification of decimals. However, it's important to note that the balances being swept, such as nomadusdc, nomadbtc, and nomadeth, all possess different decimal precision."

Impact

This will not have any impact in this case, but if the decimal position is never considered it can lead to potential errors and unexpected behavior.

Rather have it as best practice to ensure no problems will arrive from this now or in the near future.

Proof of Concept:

bool success = token.transfer(sweeper, token.balanceOf(address(this)));

The balanceOf function retrieves the balance of a token without considering its decimal precision. Therefore, it's best practice to ascertain the decimal precision of each token before transferring them. This approach ensures smooth transactions, especially when dealing with multiple tokens, each having different decimal precisions, within a single contract.

Recommended Mitigation:

Old code

function sweepAll(address sweeper) external {
/// @dev checks
require(msg.sender == admin, "only admin may sweep all");
EIP20Interface token = EIP20Interface(underlying);
/// @dev take it, take it all
bool success = token.transfer(sweeper, token.balanceOf(address(this)));
require(success, "token sweep failed");
}

New suggested code.

function sweepAll(address sweeper) external {
/// @dev checks
require(msg.sender == admin, "only admin may sweep all");
EIP20Interface token = EIP20Interface(underlying);
uint256 balance = token.balanceOf(address(this));
/// @dev take it, take it all
uint256 decimals = token.decimals();
uint256 adjustedBalance = balance * (10 ** (18 - decimals));
bool success = token.transfer(sweeper, adjustedBalance);
require(success, "token sweep failed");
}

Tools used

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.