search

code-423n4 / 2021-04-vader-findings

1 stars 0 forks source link

Non-conformity to ERC20 standard for decimals in USDV.sol #130

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

0xRajeev

Vulnerability details

Impact

ERC20 tokens should return a uint8 decimals value not uint/uint256. This may break compatibility of USDV with other ERC20-compliant tokens.

See token integration checklist from Trail of Bits https://github.com/crytic/building-secure-contracts/blob/master/development-guidelines/token_integration.md#erc-conformity

Proof of Concept

https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/USDV.sol#L13

Tools Used

Manual Analysis

Recommended Mitigation Steps

Declare decimals as uint8.

0xBrian commented 3 years ago

https://github.com/vetherasset/vaderprotocol-contracts/commit/35908c629eed86dac62b1baee3cb247c38f2a5a0

dmvt commented 3 years ago

Per the quoted ToB checklist: If this is the case, ensure the value returned is below 255. The value is 18 and only set in the constructor https://github.com/code-423n4/2021-04-vader/blob/3041f20c920821b89d01f652867d5207d18c8703/vader-protocol/contracts/USDV.sol#L51.

dmvt commented 3 years ago

duplicate of #283