Closed code423n4 closed 2 years ago
As mentioned in scope, the specific implementation details of 5095 are not included given the EIP isnt final (and we're one of the contributors working on it)
As mentioned in scope, the specific implementation details of 5095 are not included given the EIP isnt final (and we're one of the contributors working on it)
Agreed, per the terms of the contest:
Areas To Ignore:
While already noted, there are a couple areas to ignore:
- Non-Impactful or automatically reverting input sanitization.
- Non-Impactful and/or already delayed admin functionality.
- Non-Compliance with 100% of EIP-5095 (it is still a draft)
Downgrading to QA/Informational
Grouping this with the warden’s QA report, #34
Lines of code
https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Creator/ZcToken.sol#L88-L92
Vulnerability details
Impact
According to https://eips.ethereum.org/EIPS/eip-5095, the result of previewWithdraw should be rounded up.
This makes the ZcToken non-compliant with the EIP-5095 standard and may cause some integration problems.
Proof of Concept
https://github.com/code-423n4/2022-07-swivel/blob/fd36ce96b46943026cb2dfcb76dfa3f884f51c18/Creator/ZcToken.sol#L88-L92 https://eips.ethereum.org/EIPS/eip-5095
Tools Used
None
Recommended Mitigation Steps
round up the result of previewWithdraw