Token Decimal Mismatch in Total Value Calculation
Summary
The deposit function is designed to allow users to deposit tokens into the treasury. However, it directly adds deposited token amounts to _totalValue without considering token decimals. Since different tokens have varying decimal places (e.g., USDC uses 6 decimals while ETH uses 18), this can lead to incorrect total value calculations.
Vulnerability Details
1. Mismatched Token Decimals
The
_totalValuevariable aggregates the raw amount of deposited tokens, but different tokens have different decimal places.Example:
Depositing 1 USDC (1e6 units) and 1 ETH (1e18 units) would be incorrectly treated as equal, leading to distorted total value representation.
This could lead to:
Incorrect calculations for financial operations relying on
_totalValue.Misrepresentation of actual treasury holdings.
Impact
Incorrect accounting of total treasury value.
Misrepresentation of treasury value could affect allocations, withdrawals, or fee calculations.
Any mechanism relying on
_totalValue(e.g., token distribution, rewards, or reporting) could be affected.
Tools Used
Manual code review
Recommendations
1. Normalize Token Amounts Based on Decimals
Convert deposited token amounts to a common unit before adding to
_totalValue.Use
IERC20(token).decimals()(if available) or maintain a mapping of token decimals.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.