search

code-423n4 / 2021-09-yaxis-findings

0 stars 0 forks source link

`addToken` does not check if token decimals is at most `18` #105

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

hrkrshnn

Vulnerability details

addToken does not check if token decimals is at most 18

The function addToken does not check if the token decimals is at most 18 (there are tokens that have high decimals, for example YAMv2 has 24). If such a token is added to the vault (and also allowed), the normalizeDecimals function will have incorrect values, leading to bugs in share calculation.

Recommended Mitigation Steps

Add a check for decimals in addToken. For example,

modified   contracts/v3/Manager.sol
@@ -427,6 +427,7 @@ contract Manager is IManager {
    function addToken(
        address _vault,
        address _token
    )
        external
        override
        notHalted
        onlyStrategist
    {
         require(allowedTokens[_token], "!allowedTokens");
         require(allowedVaults[_vault], "!allowedVaults");
         require(tokens[_vault].length < MAX_TOKENS, ">tokens");
+        require(ExtendedIERC20(_token).decimals() <= 18);
         vaults[_token] = _vault;
         tokens[_vault].push(_token);
         emit TokenAdded(_vault, _token);
uN2RVw5q commented 2 years ago

Duplicate of https://github.com/code-423n4/2021-09-yaxis-findings/issues/42

GalloDaSballo commented 2 years ago

Duplicate of #42