-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent Implementation for supported asset token decimal #172
Comments
raymondfam marked the issue as sufficient quality report |
raymondfam marked the issue as duplicate of #25 |
ERC20 token not having decimals() implemented is prone to incorrect assignment to _underlyingDecimals. Although PrizeVault.decimals() isn't used in the contract, it could provide faulty info to the caller dependent on it. |
raymondfam marked the issue as not a duplicate |
raymondfam marked the issue as primary issue |
trmid (sponsor) confirmed |
hansfriese marked the issue as satisfactory |
hansfriese marked the issue as selected for report |
Hi @hansfriese,I think this submission should be considered as QA. |
Hi, just want provide some additional information if needed:
Thanks. |
While reconsidering the severity, the only impact is that |
hansfriese marked the issue as not selected for report |
hansfriese removed the grade |
hansfriese changed the severity to QA (Quality Assurance) |
hansfriese marked the issue as grade-c |
mitigation: GenerationSoftware/pt-v5-vault#95 |
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L304-L305
Vulnerability details
Impact
In the creation of
PrizeVault
, if_tryGetAssetDecimals
fails, the decimal is directly regarded as 18. This can be incompatible with some tokens that haven't implemented thedecimal
function and is not intended to be used as 18 decimals.Proof of Concept
In the constructor of
PrizeVault
, the_tryGetAssetDecimals
is called to get the decimal of the underlying asset. However, if the call fails, the decimal is presumed to be 18.This is incompatible with some tokens(ex. a valid token that hasn't implemented the
decimals
function and is not intended to be used as 18 decimals). Sincedecimals
is not a standard function in EIP-20 but is added later.As a result, this may cause mis-information and cause potential loss for users.
Tools Used
Manual
Recommended Mitigation Steps
It's proper to simply revert when
_tryGetAssetDecimals
fails instead of pre-assuming all tokens that haven't implementeddecimals
function to be all18
decimals.Assessed type
MEV
The text was updated successfully, but these errors were encountered: