Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

_totalValue does not check for decimals which makes it display the wrong value

mizila_firox

Summary

_totalValue doesnt check for decimals, since any token can be sent to the contract they might also have different decimals changing the whole thing.

Vulnerability Details

the _totalValue does not check for decimals which makes this issue different than the other one I sent before, even if that other one is fixed the decimals are still a problem if they are different making this _totalValue completelly useless

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/Treasury.sol#L41-L55

/**
* @notice Deposits tokens into the treasury
* @dev Requires approval for token transfer
* @param token Address of token to deposit
* @param amount Amount of tokens to deposit
*/
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

Impact

even if the other issue about spammy tokens being allowed is fixed and only selective tokens and people can deposit we still have to check the decimals either the _totalValue is useless.

Tools Used

manual

Recommendations

check for decimals

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.