Decimals Mismatch issue in the DEToken
Summary
DEToken uses 18 decimals (default in ERC20), while the underlying RToken have a different decimal precision (e.g., 6 for USDC).
This Breaks the 1:1 redemption ratio. For example:
1 DEToken (1e18 units) would redeem 1e12 RToken (1e6 units), not 1:1
Vulnerability Details
The DEToken contract inherits the default decimals value of 18 from the OpenZeppelin ERC20 implementation. However, the underlying RToken (e.g., a stablecoin like USDC) might use a different decimal precision (e.g., 6). This mismatch breaks the intended 1:1 redeemability between DEToken and RToken.
When a user redeems 1 DEToken (1e18 units), the contract transfers 1e18 RToken units (equivalent to 1e12 RToken "whole tokens"), violating the 1:1 promise.
The transferAsset function directly transfers amount RToken units without adjusting for decimal differences
DEToken and RToken have different decimals, amount (in DEToken units) does not equate to the same "whole token" value in RToken
Impact
Users receive far fewer/more RTokens than expected. The 1:1 redemption guarantee is broken, undermining user confidence.
Tools Used
Foundry
Recommendations
Query the RToken’s decimals() during DEToken initialization.
Align DEToken’s decimals with RToken’s.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.