issue: Potential Decimal Mismatch
Throughout the strategy’s internal functions (e.g., _deployFunds
, _freeFunds
, claimAndSwap
), the code implicitly assumes both asset
(alETH) and underlying
(WETH) share the same decimal precision (commonly 18 decimals). However, there is no explicit check or handling if either token has non-standard decimals. If underlying
or asset
operates with a different number of decimals, arithmetic and comparisons (e.g., minOut > _amount
) can become incorrect or misleading, potentially causing revert conditions or misallocated funds.
Unexpected Rounding / Scaling Errors
If tokens do not share 18 decimals, deposit, withdrawal, or swap amounts may be off by factors of 10.
Silent Logical Inconsistencies
Even if the protocol doesn’t revert, user balances or yields could be understated or overstated.
Potential for Partial or Total Lock-Up
In extreme cases, mismatched decimals might trigger consistent reverts in _deployFunds
or claimAndSwap
, blocking user operations.
No explicit decimal check or scaling logic is found:
The code treats _amount
and minOut
as though both tokens share the same decimal basis.
Non-Standard Decimal Token
Suppose the transmuter’s underlyingToken()
has 6 decimals (like USDC) instead of 18.
Arithmetic Discrepancies
A check such as require(minOut > _amount)
is meaningless if _amount
is effectively scaled differently than minOut
.
Reverts / Incorrect Transfers
The contract may revert due to perceived “low” or “invalid” amounts, or may inadvertently pass incorrect amounts to external calls, creating or missing significant funds.
Check & Enforce Matching Decimals
If the design mandates the same decimals, revert early for non-conformance.
Implement Scaling Logic
If the protocol allows mixed decimals, include a scaling factor so amounts are normalized to a consistent base before comparisons or swaps:
This ensures _amount
and minOut
are compared accurately.
Test with Non-Standard Decimals
Add unit or fuzz tests simulating 6-decimal tokens (e.g., USDC) or 8-decimal tokens (e.g., WBTC) to detect potential logical errors early.
While many tokens do use 18 decimals, ignoring the possibility of non-standard decimals can lead to subtle but significant bugs in deposit, withdrawal, and swapping logic. Adding a simple decimal check or proper scaling in the strategy ensures robust handling of a broader range of ERC20 tokens, preventing confusing reverts and ensuring accurate accounting.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.