search

code-423n4 / 2022-02-jpyc-findings

1 stars 0 forks source link

QA report #56

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L624

Vulnerability details

Impact

The whitelist won't work if the contract is deployed with decimals != 18

Proof of Concept

The check whitelist modifier uses 10**18 instead of decimals. This means the whitelist wouldn't work properly on if the decimals are set differently in the constructor. https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L624

Recommended Mitigation Steps

Use decimals instead of 1018 or change decimals equal to 1018 by default.

thurendous commented 2 years ago

We are exactly doing this 18 decimals. That's why we did it this way and this is not an issue. Maybe doing it default as 1e18 is a good way to improve it.

This idea is a duplicate of #60.

jack-the-pug commented 2 years ago

It is true that when the contract is initiated() with wrong arguments, the whitelist feature can not work improperly, but the precondition of this issue is unlikely to happen.

So I will downgrade this to low.

CloudEllie commented 2 years ago

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.

The original title, for the record, was "The whitelist won't work if the contract is deployed with decimals != 18".