Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Incorrect Decimals Handling in RToken.sol

oxaudron

Summary

The RToken uses a fixed 18 decimals (inherited from ERC20) regardless of the underlying asset's decimals (e.g., USDC uses 6 decimals). This causes mismatches in value representation.

Vulnerability Details

The RToken is based with underlying token. However it doesn't taken into account if the underlying token is having howmany decimals as described in the decimals() :

function decimals() public view virtual override(ERC20, IRToken) returns (uint8) {
return super.decimals(); //18
}

And this is what super.decimals() function looks like :

function decimals() public view virtual returns (uint8) {
return 18;
}

As in the case of burn() function :

_burn(from, amount.toUint128());
if (receiverOfUnderlying != address(this)) {
IERC20(_assetAddress).safeTransfer(receiverOfUnderlying, amount);
}

The amount of burn and underlying asset transferred is same. However this thing will cause discrepancy (high leve)

Impact

Users will see incorrect balances, and interactions with the underlying asset will have scaling errors (e.g., 1 RToken might represent 1e12 underlying units instead of 1:1).

Tools Used

Manual Review

Recommendations

Change the decimals() code in the RToken.sol

function decimals() public view virtual override(ERC20, IRToken) returns (uint8) {
return IERC20(_assetAddress).decimals();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!