Submission Details
Severity:
USDC and CrimeMoney have different decimal places ,this may lead to problems during withdrawls
Description
Any traditional ERC20 token has a 18 decimal places i.e 1e18 but the USDC has 6 decimal places i.e 1e6
Impact
If decimal places of the erc20 tokens used are not considered it may lead to precision loss and miscalculations.
Proof of Concept
The deposit and withdraw functions of MoneyShelf.sol both use the same variable amount which has to be converted to the correct decimal places before being used.
Decimals PoC
function depositUSDC(address account, address to, uint256 amount) external {
deposit(to, amount);
@> usdc.transferFrom(account, address(this), amount);
@> crimeMoney.mint(to, amount);
}
function withdrawUSDC(address account, address to, uint256 amount) external {
withdraw(account, amount);
@> crimeMoney.burn(account, amount);
@> usdc.transfer(to, amount);
}
Recommended Mitigation
The decimal places have to be considered for the erc20 tokens with different decimal places
Updates
Lead Judging Commences
n0kto over 1 year ago
Submission Judgement Published Assigned finding tags:
USDC decimals not handled
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.