The decimalConversionRate is initialized in the constructor by setting decimalConversionRate = 10 ** (_localDecimals - sharedDecimals()). This value can vary between tokens, as each token's owner can choose different share decimals or local decimals. Consequently, you cannot use the _removeDust function of one token for another token due to potential differences in the decimalConversionRate used in each contract. However, in the TapTokenReceiver._claimTwpTapRewardsReceiver() function, the scenario described occurs, where the amountWithoutDust of the reward token is calculated using the _removeDust() function of the Tap Token:
function _claimTwpTapRewardsReceiver(bytes memory _data) internal virtual twTapExists {
...
uint256 amountWithoutDust = _removeDust(claimedAmount_[i]);
...
claimTwTapRewardsMsg_.sendParam[sendParamIndex].sendParam.amountLD = amountWithoutDust; // Set the amount to send to the claimed amount
claimTwTapRewardsMsg_.sendParam[sendParamIndex].sendParam.minAmountLD = amountWithoutDust; // Set the amount to send to the claimed amount
...
It's important to note that there could be cases where the reward token uses a different decimalConversionRate from the tap tokens, resulting in an incorrect amountWithoutDust being sent to the receiver.
Impact
The consequences would be significant if the sendTo_ address does not belong to the token's owner (for example, it could be a donation address), leading to the loss of a portion of the reward tokens.
Tools Used
Manual review
Recommended Mitigation Steps
Consider getting the decimalConversionRate from the reward token to calculate the amountWithoutDust
Lines of code
https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenReceiver.sol#L180-L181
Vulnerability details
Description
The
_removeDust
function is designed to eliminate dust from a given local decimal amount:The
decimalConversionRate
is initialized in the constructor by settingdecimalConversionRate = 10 ** (_localDecimals - sharedDecimals())
. This value can vary between tokens, as each token's owner can choose different share decimals or local decimals. Consequently, you cannot use the_removeDust
function of one token for another token due to potential differences in thedecimalConversionRate
used in each contract. However, in theTapTokenReceiver._claimTwpTapRewardsReceiver()
function, the scenario described occurs, where theamountWithoutDust
of the reward token is calculated using the_removeDust()
function of the Tap Token:It's important to note that there could be cases where the reward token uses a different
decimalConversionRate
from the tap tokens, resulting in an incorrectamountWithoutDust
being sent to the receiver.Impact
The consequences would be significant if the
sendTo_
address does not belong to the token's owner (for example, it could be a donation address), leading to the loss of a portion of the reward tokens.Tools Used
Manual review
Recommended Mitigation Steps
Consider getting the
decimalConversionRate
from the reward token to calculate theamountWithoutDust
Assessed type
Decimal