Lack of Standardization in `_totalValue` Calculation Across Different Tokens
Summary
The deposit and withdraw functions incorrectly aggregate the total value of tokens (_totalValue) without considering token decimals or exchange rates. This could lead to inaccurate financial tracking and misrepresentation of the contract’s actual holdings.
Vulnerability Details
The contract tracks _totalValue by summing deposited token amounts directly:
-
Ignoring Token Decimals: Different ERC-20 tokens have different decimal places (e.g., USDC has 6 decimals while WETH has 18). Summing raw values without standardization results in misleading total value calculations.
-
Lack of Exchange Rate Consideration: Tokens have varying values in the market. Treating them as equivalent in _totalValue misrepresents the actual asset value.
3, Inaccurate Reporting: The getTotalValue function may provide misleading information, potentially affecting financial decision-making or automated strategies relying on this metric.
Impact
Incorrect _totalValue tracking can lead to financial discrepancies and misinformed decision-making.
Tools Used
Manual review
Recommendations
Implement a system to convert token amounts into a common unit of measure (e.g., using Chainlink price feeds for conversion
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.