Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Mismatched Tokens Calculation

dharkartz

Summary

The deposit function fails to properly normalize token amounts with different decimal places when updating _totalValue. This oversight causes inaccurate aggregation of deposits since tokens like USDC (6 decimals) and ETH (18 decimals) are treated equivalently, leading to significant accounting errors.

Vulnerability Details

1. Mismatched Token Decimals

  • _totalValue accumulates raw token amounts without decimal normalization

  • Example scenario:

    • 1 USDC deposit (1,000,000 units) and 1 ETH deposit (1,000,000,000,000,000,000 units) are treated as equivalent values

    • Results in severely distorted total value calculations

  • Consequences include:

    • Inaccurate financial calculations based on _totalValue

    • Misrepresented treasury holdings

Impact

  • Inaccurate treasury value accounting

  • Potential errors in allocation and withdrawal calculations

  • Compromised reliability of any protocol mechanisms depending on _totalValue

Tools Used

  • Manual code review

Recommendations

Normalize Token Amounts Based on Decimals

  • Implement decimal normalization before adding to _totalValue

  • Utilize IERC20(token).decimals() or maintain a decimal mapping

function _normalizeAmount(address token, uint256 amount) internal view returns (uint256) {
uint8 decimals = tokenDecimals[token]; // Predefined mapping of token decimals
return amount * (10 ** (18 - decimals));
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.