The use of fixed decimal values such as 1e18 or 1e8 in Solidity contracts can lead to inaccuracies, bugs, and vulnerabilities, particularly when interacting with tokens having different decimal configurations.Not all ERC20 tokens follow the standard 18 decimal places, and assumptions about decimal places can lead to miscalculations.
Always retrieve and use the decimals() function from the token contract itself when performing calculations involving token amounts.This ensures that your contract correctly handles tokens with any number of decimal places, mitigating the risk of numerical errors or under / overflows that could jeopardize contract integrity and user funds.
Proof of Concept (PoC) File
file: src/CatalystVaultCommon.sol
348 require(fee <= 1e18); // dev: VaultFee is maximum 100%.
The fee is not a decimal value. We use 10**18 as the accuracy since it is used for WAD by Solmate's math lib. See Veridise first audit for more information.
Github username: @saidqayoumsadat Twitter username: saqsadat143 Submission hash (on-chain): 0x8966dd7575376720ff3b24ae6bd9a3c0f86ad7680969532b01ed44d022068a3a Severity: low
Description: Description\
The use of fixed decimal values such as 1e18 or 1e8 in Solidity contracts can lead to inaccuracies, bugs, and vulnerabilities, particularly when interacting with tokens having different decimal configurations.Not all ERC20 tokens follow the standard 18 decimal places, and assumptions about decimal places can lead to miscalculations. Always retrieve and use the decimals() function from the token contract itself when performing calculations involving token amounts.This ensures that your contract correctly handles tokens with any number of decimal places, mitigating the risk of numerical errors or under / overflows that could jeopardize contract integrity and user funds.
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultCommon.sol#L348C1-L348C65