Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Treasury::getTotalValue will return a meaningless value

josh4324

Summary

The Treasury::deposit function allows users to deposit any ERC-20 token into the contract, while _totalValue is updated to track the total deposited amount. The getTotalValue function then returns _totalValue. However, _totalValue is incremented directly with raw token amounts without accounting for differences in token decimals.

Vulnerability Details

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}
function getTotalValue() external view override returns (uint256) {
return _totalValue;
}

Different ERC-20 tokens have varying decimal places (e.g., USDC has 6 decimals, while WETH has 18). Since _totalValue is simply incremented by the deposited amount without standardizing decimals, its value becomes inconsistent and misleading.

Impact

The getTotalValue function provides misleading data

Tools Used

Manual Review

Recommendations

Convert all token amounts to a standard decimal format (e.g., 18 decimals) before adding to _totalValue.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.