Decimals of USDC may change, affecting the number of tokens send to the contract on deployment
Summary
The 6 decimals of USDC is hardcoded in Deploy.s.sol, but USDC is a proxy contract and it's implementation could potentially change. If decimals changes from 6 to another number, the amount of USDC sent to the contract would no longer match the expected amount, making it higher or lower.
Vulnerability Details
A proxy contract can change it's implementation at any moment and it is dangerous to assume that its properties will always stay the same.
Impact
Assuming that the USDC contract decimals change and all user balances are updated accordingly, that is, if decimals are now 2, a user previously holding 1_000_000 now holds 100, the deployment may send 1,000 times too much USDC. Or, at the opposite, if decimals are now 18, it will only send a fraction of the amount.
Tools Used
Manual review
Recommendations
Call USDC contract to get the current decimal numbers at contract deployment.
PS: the MerkleRoot will also be affected as it holds the amount that a user can claim.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.