kitty-the-kat
commented
2 years ago We dont expect to see any changes to underlying decimals of stablecoins, worst case scenario we can redeploy the affected contracts
Open code423n4 opened 3 years ago
kitty-the-kat
commented
2 years ago We dont expect to see any changes to underlying decimals of stablecoins, worst case scenario we can redeploy the affected contracts
Handle
pauliax
Vulnerability details
Impact
FixedStablecoins constructor does not validate that addresses in the array are not empty, != address(0), and relies that the creator passes the correct values for decimals. The comment next to USDC (0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48) says that it is supposed to have 6 decimals: uint256 public immutable USDC_DECIMALS; // = 1E6; However, when querying the actual value on Etherscan, it shows 0 decimals: https://etherscan.io/address/0xa2327a938febf5fec13bacfb16ae10ecbc4cbdcf#readContract The problem with USDC is that it uses a proxy pattern thus the implementation could change (decimals could change but in practice, I think it is very unlikely).
Recommended Mitigation Steps
I think it would be better not to pass decimals separately and rely on the correctness of the input but use IERC20Detailed and query the decimals in code. Always querying the decimals on the go may be very inefficient and bring new attack vectors so I think you need to do here an assumption that decimals of upgradeable tokens won't change.