MyCut

First Flight #23

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Failure to check the Token Decimals

brene

Summary

The ContestManager smart contract, designed to create and manage contests with ERC20 token rewards. The contract assumes that all ERC20 tokens conform to a standard 18 decimal format, which can lead to incorrect calculations and distribution of rewards when tokens with different decimal configurations are used.

Vulnerability Details

Token rewards are calculated and transferred in createContest and fundContest functions. These function does not check or adjust for the specific decimals value of the ERC20 token used, assuming a default of 18 decimals.

Scenario:
If a contest uses an ERC20 token with 6 decimals (like USDC), and the contract is instructed to reward 1.5 tokens, the contract might mistakenly calculate this as 1.5 * 10^18 units instead of the correct 1.5 * 10^6 units. This discrepancy can cause the contract to underpay or overpay rewards, depending on the situation.

The contract lacks a mechanism to retrieve and appropriately handle the decimals value from the ERC20 token contract, leading to a mismatch between the expected and actual number of token units transferred.

Impact

The most immediate and significant impact is the incorrect distribution of rewards to contest participants. Players may receive far more or far less than intended. For tokens with lower decimals, the contract might underpay rewards, leaving participants short-changed. Conversely, for tokens with more decimals, the contract could overpay, leading to financial losses.

Tools Used

Manual Review

Recommendation

Modify the contract to include logic that retrieves the decimals() value from the ERC20 token contract before performing any reward calculations or transfers. This ensures that rewards are calculated in the correct unit of measurement.## Summary
The ContestManager smart contract, designed to create and manage contests with ERC20 token rewards. The contract assumes that all ERC20 tokens conform to a standard 18 decimal format, which can lead to incorrect calculations and distribution of rewards when tokens with different decimal configurations are used.

Updates

Lead Judging Commences

equious Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

106

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.