Submission Details
Severity:
Incorrect Asset Valuation in `Treasury::_totalValue` Due to Token Decimal Mismatch
Summary
The Treasury::_totalValue variable accumulates token amounts without considering decimal precision differences, leading to meaningless aggregated values. Direct summation of token quantities with varying decimals (e.g., 18-decimals vs 6-decimals) creates valuation inaccuracies and operational risks.
Vulnerability Details
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount; <==@found
emit Deposited(token, amount);
}
function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount; <==@found
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}
Impact
Renders
_totalValuemetric meaninglessPotential fund misallocation decisions based on flawed data
Tools Used
Manual Review
Recommendations
Implement Token-Specific Tracking:mapping(address token=>uint256 amount) public tokenToAmount
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.