Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 77/120
Findings: 1
Award: $4.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: chaduke
Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie
4.0797 USDC - $4.08
https://github.com/code-423n4/2023-11-canto/blob/main/asD/src/asD.sol#L76
Inside withdrawCarry(), constant scale factor 1e28 is used, assuming that underlying decimals are always 18. At the same time, a preferred secure way is to cache underlying decimals in the constructor inside the immutable variable and further use it.
In case of an incorrect scale factor is used, either the owner of asD is able to withdraw more underlying tokens than supposed to or withdrawCarry() reverts.
Manual review.
Use an immutable variable to cache the underlying decimals in the constructor of the asD contract.
ERC20
#0 - c4-pre-sort
2023-11-20T05:54:58Z
minhquanym marked the issue as sufficient quality report
#1 - OpenCoreCH
2023-11-27T11:52:22Z
I think this issue is only about storing it as an immutable variable? This would be QA / GAS (although it should not even save gas). Otherwise, it would be a dup of https://github.com/code-423n4/2023-11-canto-findings/issues/227
#2 - c4-sponsor
2023-11-27T11:52:32Z
OpenCoreCH (sponsor) disputed
#3 - MarioPoneder
2023-11-29T14:36:55Z
Doesn't discuss and prove impacts like #227, therefore QA.
#4 - c4-judge
2023-11-29T14:36:59Z
MarioPoneder changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-29T22:39:27Z
MarioPoneder marked the issue as grade-b