Submission Details
Severity:
Incorrect Handling of Token Decimals in withdraw::Treasury.sol and deposit::Treasury.sol lead to Misleading Total Value in getTotalValue::Treasury.sol
Summary
ERC-20 tokens have varying decimal places (e.g., USDC = 6 decimals, DAI = 18 decimals). However, the _totalValue variable updates deposits and withdrawals without normalizing for different token decimal places, assuming all tokens have the same scale.
Vulnerability Details
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
@> _totalValue += amount;
emit Deposited(token, amount);
}
Impact
-
The protocol misrepresents the actual total deposited value, leading to incorrect accounting of funds and resulting
misleading output in
function getTotalValue() external view override returns (uint256) {return _totalValue;}
Tools Used
Manual review
Recommendations
Normalize token values based on decimals
Use ERC-20’s decimals() function to convert all token values to a standard scale (e.g., 18 decimals) before updating _totalValue:
uint256 decimals = IERC20(token).decimals();
uint256 normalizedAmount = amount * (10**(18 - decimals));
_totalValue += normalizedAmount;
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.