F-2024-0002·missing-decimals-handling

Incorrect handling of token decimals

Acknowledgedvaulthealthfipoints
TL;DR

The vault hardcodes the assumption that all ERC20 tokens have 18 decimals, leading to incorrect amounts being transferred, burned, or swapped for tokens with fewer decimals.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
MEDIUM
Exploitability
MEDIUM
02Section · Description

Description

The contract incorrectly handles ERC20 tokens with different decimal places, assuming all tokens have 18 decimals. This oversight can lead to incorrect token amounts being transferred, burned, or swapped, causing significant issues in the contract's functionality.

The contract assumes that all ERC20 tokens have 18 decimals, which is not guaranteed. This incorrect assumption is hardcoded into various functions that handle token transfers, calculations, and conversions. This can result in incorrect token amounts being processed.

03Section · Impact

Impact

The incorrect handling of token decimals can lead to multiple vulnerabilities:

  1. Incorrect Token Amounts: Tokens with fewer or more than 18 decimals can result in incorrect amounts being transferred or swapped, leading to financial discrepancies.
  2. Loss of Funds: Recipients may receive fewer tokens than intended, or senders may lose more tokens than expected due to incorrect decimal handling.
  3. Contract Reversion: Transactions may revert if they exceed the sender's balance or the token's total supply due to incorrect decimal calculations.
  4. Economic Exploits: Malicious users might exploit these discrepancies to their advantage, draining tokens from the contract or manipulating balances.
  5. Inconsistent State: The contract's internal state might become inconsistent if token balances do not align with the expected decimal precision, leading to further logical errors.
04Section · Recommendation

Recommendation

To address the issue of incorrect token decimal handling, ensure that the contract dynamically handles tokens according to their specific decimal places.

Implementation: Modify functions to automatically detect the token's decimal count and adjust calculations accordingly. This approach ensures accurate handling of different tokens.

  • Automatically detect and handle token decimals using the decimals function provided by the ERC20 standard. This approach minimizes potential errors and ensures accurate and reliable operations.

Example code adjustment to handle different token decimals, modifying the checkAmountToReceive function to automatically get the token's decimals:

solidity
interface IERC20 {
    function decimals() external view returns (uint8);
}


/// @dev used to calculate amount of the worldcoin token or other payment token to receive at a specific rate specified
function checkAmountToReceive(uint pointToSwap) public view returns (uint) {
    uint8 paymentDecimals = _Ipaymentcoin.decimals(); // Automatically get the token decimals
    uint rateDecimals = 18; // Assuming the rate is given in 18 decimals
    uint _rate = (pointToSwap * 10 ** paymentDecimals) / (rate * 10 ** rateDecimals);
    return _rate;
}
ZEALYNX SECURITY · published 2024-05-28
F-2024-0002

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx