search

code-423n4 / 2021-09-sushimiso-findings

0 stars 0 forks source link

Use constant named variable for auction decimals #103

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The CrowdSale.initCrowdsale function checks that the auction token has 18 decimals through IERC20(_token).decimals() == 18. This seems to be related to AUCTION_TOKEN_DECIMALS and these values should not get ouf of sync.

Impact

These values can easily get out of sync.

Recommended Mitigation Steps

Create another named constant and set it to 18 decimals:

uint256 private constant AUCTION_TOKEN_DECIMAL_PLACES = 18;
uint256 private constant AUCTION_TOKEN_DECIMALS = 10 ** AUCTION_TOKEN_DECIMAL_PLACES;
Clearwood commented 3 years ago

I don't think this has any risk, but I agree with the removal of magic numbers

Clearwood commented 3 years ago

https://github.com/sushiswap/miso/pull/23

ghoul-sol commented 3 years ago

making this a non-critical as it is best practices recommendation