search

code-423n4 / 2024-02-tapioca-findings

1 stars 1 forks source link

Incorrect use of `_removeDust()` in function `TapTokenReceiver._claimTwpTapRewardsReceiver()` #147

Open c4-bot-7 opened 4 months ago

c4-bot-7 commented 4 months ago

Lines of code

https://github.com/Tapioca-DAO/tap-token/blob/20a83b1d2d5577653610a6c3879dff9df4968345/contracts/tokens/TapTokenReceiver.sol#L180-L181

Vulnerability details

Description

The _removeDust function is designed to eliminate dust from a given local decimal amount:

function _removeDust(uint256 _amountLD) internal view virtual returns (uint256 amountLD) {
    return (_amountLD / decimalConversionRate) * decimalConversionRate;
}

The decimalConversionRate is initialized in the constructor by setting decimalConversionRate = 10 ** (_localDecimals - sharedDecimals()). This value can vary between tokens, as each token's owner can choose different share decimals or local decimals. Consequently, you cannot use the _removeDust function of one token for another token due to potential differences in the decimalConversionRate used in each contract. However, in the TapTokenReceiver._claimTwpTapRewardsReceiver() function, the scenario described occurs, where the amountWithoutDust of the reward token is calculated using the _removeDust() function of the Tap Token:

function _claimTwpTapRewardsReceiver(bytes memory _data) internal virtual twTapExists {
    ... 

    uint256 amountWithoutDust = _removeDust(claimedAmount_[i]);

    ...

    claimTwTapRewardsMsg_.sendParam[sendParamIndex].sendParam.amountLD = amountWithoutDust; // Set the amount to send to the claimed amount
    claimTwTapRewardsMsg_.sendParam[sendParamIndex].sendParam.minAmountLD = amountWithoutDust; // Set the amount to send to the claimed amount

    ...

It's important to note that there could be cases where the reward token uses a different decimalConversionRate from the tap tokens, resulting in an incorrect amountWithoutDust being sent to the receiver.

Impact

The consequences would be significant if the sendTo_ address does not belong to the token's owner (for example, it could be a donation address), leading to the loss of a portion of the reward tokens.

Tools Used

Manual review

Recommended Mitigation Steps

Consider getting the decimalConversionRate from the reward token to calculate the amountWithoutDust

Assessed type

Decimal

c4-judge commented 3 months ago

dmvt marked the issue as primary issue

c4-sponsor commented 3 months ago

0xRektora (sponsor) confirmed

c4-judge commented 3 months ago

dmvt changed the severity to QA (Quality Assurance)

c4-judge commented 3 months ago

dmvt marked the issue as grade-a