The use of decimals() might prevent valid ERC20 tokens from being deposited by users.
Summary
It should be noted that decimals() function is an Optional function as per the ERC20 standard and may not be implemented by a number of tokens.
As per the ERC20 standard the 'decimals()' function is an optional function and not all tokens (including the standard ones) actually implement a decimals function. According to the ERC20 standard :
decimals
Returns the number of decimals the token uses - e.g. 8, means to divide the token amount by 100000000 to get its user representation.
OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present.
Vulnerability Details
The decimals function is used in the contract AaveDIVAWrapperCore::_registercollateralTokens to extract the number of decimal places used in the token.
Impact
Since decimals is an optional function as per the ERC20 standard any valid ERC20 token like cloutContracts, DIgixDAOwhich does not implement the decimals function cannot be deposited by the user.
Tools Used
Manual Review
Recommendations
To avoid this issue and ensure compatibility with a wider range of tokens, it is recommended to follow a more resilient approach. Instead of blindly relying on the decimals() function, consider using other strategies such as:
-
Allowing users to specify the number of decimal places explicitly when interacting with token balances or performing calculations.
-
Utilizing libraries or utility functions that perform validation and fallback to a default value or heuristic method when decimals() is not available.
-
Providing clear documentation and warnings to users on potential compatibility issues when interacting with tokens that may not implement decimals().
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.