Clearwood
commented
3 years ago Tokens without 18 decimals are not handled, but that is the expected functionality of this contract
Open code423n4 opened 3 years ago
Clearwood
commented
3 years ago Tokens without 18 decimals are not handled, but that is the expected functionality of this contract
ghoul-sol
commented
3 years ago per sponsor comment, non-critical
Handle
0xRajeev
Vulnerability details
Impact
The auction contracts only work for tokens with 18 decimals. While this is most common and avoids complexity from having to manage tokens with different numbers of decimals, this prevents tokens with a different number of decimals to be used with these contracts.
Proof of Concept
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/BatchAuction.sol#L143
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/Crowdsale.sol#L169
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/DutchAuction.sol#L158
https://github.com/sushiswap/miso/blob/2cdb1486a55ded55c81898b7be8811cb68cfda9e/contracts/Auctions/HyperbolicAuction.sol#L161
Tools Used
Manual Analysis
Recommended Mitigation Steps
Document this aspect to prevent surprises or consider handling tokens with arbitrary decimals along with appropriate precautions.