Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Current ACCURACY may not be sufficient for tokens with different decimals

vladzaev

Summary

When the admin wants to send the profit to the DAO members, the function uses ACCURACY equal to 1e30. The final calculations may not be sufficient for tokens with different decimals

Vulnerability Details

Here is a function used for profits distribution:

function sendProfit(uint256 amount) external {
uint256 _totalSupply = totalSupply;
if (_totalSupply > 0) {
@> totalProfit += (amount * ACCURACY) / _totalSupply; // 1e30
IERC20(currency).safeTransferFrom(msg.sender, address(this), amount);
emit Profit(amount);
} else {
IERC20(currency).safeTransferFrom(msg.sender, creator, amount); // Redirect profit to creator if no supply
}
}

In protocol docs says that it's going to work with USDC, WETH, WBTC.

USDC got 8 decimals, WETH / WBTC - 18.

In case the protocol will work with any other token with different decimal value, it's better to take into account its value for precicion.

Impact

Precicion loss in profitdistribution

Tools Used

Manual review

Recommendations

Consider adding a token decimal value for the calculations, for example:

totalProfit += (amount * ACCURACY * token.decimals) / _totalSupply;
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.