Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent Implementation for supported asset token decimal #172

Closed
c4-bot-2 opened this issue Mar 10, 2024 · 16 comments
Closed

Inconsistent Implementation for supported asset token decimal #172

c4-bot-2 opened this issue Mar 10, 2024 · 16 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-c primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_25_group AI based duplicate group recommendation sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-bot-2
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L304-L305

Vulnerability details

Impact

In the creation of PrizeVault, if _tryGetAssetDecimals fails, the decimal is directly regarded as 18. This can be incompatible with some tokens that haven't implemented the decimal function and is not intended to be used as 18 decimals.

Proof of Concept

In the constructor of PrizeVault, the _tryGetAssetDecimals is called to get the decimal of the underlying asset. However, if the call fails, the decimal is presumed to be 18.

        IERC20 asset_ = IERC20(yieldVault_.asset());
        (bool success, uint8 assetDecimals) = _tryGetAssetDecimals(asset_);
        _underlyingDecimals = success ? assetDecimals : 18;

This is incompatible with some tokens(ex. a valid token that hasn't implemented the decimals function and is not intended to be used as 18 decimals). Since decimals is not a standard function in EIP-20 but is added later.

As a result, this may cause mis-information and cause potential loss for users.

Tools Used

Manual

Recommended Mitigation Steps

It's proper to simply revert when _tryGetAssetDecimals fails instead of pre-assuming all tokens that haven't implemented decimals function to be all 18 decimals.

Assessed type

MEV
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 10, 2024
c4-bot-6 added a commit that referenced this issue Mar 10, 2024
@c4-bot-6
jesjupyter issue #172
e7b7d7f
@c4-bot-12 c4-bot-12 added the 🤖_25_group AI based duplicate group recommendation label Mar 11, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Mar 12, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #25

@raymondfam
Copy link

raymondfam commented Mar 12, 2024
edited
Loading

ERC20 token not having decimals() implemented is prone to incorrect assignment to _underlyingDecimals. Although PrizeVault.decimals() isn't used in the contract, it could provide faulty info to the caller dependent on it.

@c4-pre-sort c4-pre-sort reopened this Mar 13, 2024
@c4-pre-sort
Copy link

raymondfam marked the issue as not a duplicate

@c4-pre-sort
Copy link

raymondfam marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Mar 13, 2024
This was referenced Mar 13, 2024
Closed
Closed
Closed
Closed
This was referenced Mar 13, 2024
Closed
Open
@c4-sponsor
Copy link

trmid (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Mar 13, 2024
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Mar 15, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge
Copy link
Contributor

hansfriese marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Mar 15, 2024
This was referenced Mar 15, 2024
Closed
Closed
Closed
@wangxx2026
Copy link

Hi @hansfriese,I think this submission should be considered as QA.
This writeup comes from OZ, and tokens that don't implement decimals are rare anymore

@jes16jupyter
Copy link

Hi, just want provide some additional information if needed:

  1. There are indeed some tokens with 0 decimals that are still active. For example, DGD, CloutContracts. I agree that it's rare, yet in EIP20 it says that OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present.
  2. Different Orgs are treating this issue differently.
    1. Etherscan is taking 0 decimals for erc20 tokens without decimals implementation.
    2. Metamask will need user to specify the decimal for erc20 tokens without decimals implementation.

Thanks.

@hansfriese
Copy link

While reconsidering the severity, the only impact is that PrizeVault.decimals() will return incorrect decimals and users won't incur any losses during deposit/withdrawal.
I think it's fair to downgrade to QA.

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Mar 20, 2024
@c4-judge
Copy link
Contributor

hansfriese marked the issue as not selected for report

@c4-judge
Copy link
Contributor

hansfriese removed the grade

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed satisfactory satisfies C4 submission criteria; eligible for awards 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Mar 20, 2024
@c4-judge
Copy link
Contributor

hansfriese changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

hansfriese marked the issue as grade-c

@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Mar 20, 2024
@trmid
Copy link

trmid commented Mar 22, 2024

mitigation: GenerationSoftware/pt-v5-vault#95

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-c primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_25_group AI based duplicate group recommendation sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@wangxx2026 @trmid @hansfriese @raymondfam @c4-judge @c4-sponsor @c4-pre-sort @c4-bot-2 @jes16jupyter @c4-bot-12