Open code423n4 opened 2 years ago
We are exactly doing this 18 decimals. That's why we did it this way and this is not an issue. Maybe doing it default as 1e18 is a good way to improve it.
This idea is a duplicate of #60.
It is true that when the contract is initiated()
with wrong arguments, the whitelist feature can not work improperly, but the precondition of this issue is unlikely to happen.
So I will downgrade this to low
.
Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.
The original title, for the record, was "The whitelist won't work if the contract is deployed with decimals != 18".
Lines of code
https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L624
Vulnerability details
Impact
The whitelist won't work if the contract is deployed with decimals != 18
Proof of Concept
The check whitelist modifier uses 10**18 instead of decimals. This means the whitelist wouldn't work properly on if the decimals are set differently in the constructor. https://github.com/code-423n4/2022-02-jpyc/blob/cfc018384dd1d71febaa57f0576cb51f5d9c7e07/contracts/v2/FiatTokenV2.sol#L624
Recommended Mitigation Steps
Use decimals instead of 1018 or change decimals equal to 1018 by default.