Treasury.sol::deposit accounts the totalValue ignoring decimals, the variable will return a wrong value
Summary
Treasury.sol::deposit receives deposits of all types of tokens, registers the balance for a specific token, and stores the `totalValue` in the contract.
Vulnerability Details
In addition to ignoring CEI, it adds all token amounts to a unique variable without converting them to a common rate, such as the USD value, or even checking for different decimals.
For example: If the protocol has 10 ether stored in the totalValuevariable and someone deposits 1000e6, the total value stored in the contract will return 10.000_.000.000.000.000.000 + 1000.000.00._
Impact
The value returned from Treasury.sol::getTotalValue will not reflect the total value stored in the contract if tokens with different decimals or tokens with different representations.
Tools Used
Code Review
Recommendations
Evaluate the real need for this variable to exist. If it's really needed, consider converting to a common rate using oracles.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.