Inaccurate _totalValue Calculation Due to Lack of Decimal Normalization Across ERC-20 Tokens
Summary
The _totalValue variable in the Treasury contract misrepresents the actual value of assets held by summing raw token amounts without accounting for different decimal places. This leads to incorrect fund accounting, causing inaccurate treasury valuation and potential misallocation of resources.
Vulnerability Details
ERC-20 tokens have varying decimal places, but the contract updates _totalValue in the deposit() and withdraw() functions by directly adding or subtracting raw token amounts without normalizing them. This results in inaccurate treasury valuation, as tokens with different decimal precisions are treated the same, leading to misrepresentation of actual asset holdings.
References:
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/Treasury.sol#L52 https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/Treasury.sol#L74
Impact
Low
Tools Used
Manual
Recommendations
Normalize Token Values Based on Decimals
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.