This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
attens - It's dangerous for makers to set token decimal by manual #242
Comments
Attens1423
added
Medium
|
in new calculation model, we don't need token decimal anymore. fix pr:https://github.com/DODOEX/new-dodo-v3/pull/32 |
|
Please note: This issue is not part of the contest submissions and is not eligible for contest rewards. |
|
Fix looks good. Token decimals are now queried directly rather than relying a manual input |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
medium
It's dangerous for makers to set token decimal by manual
Summary
In D3Maker, when maker wants to set a new token, he must enter token decimal by himself, and D3Maker won't verify the correctness of decimal. It makes huge risk.
Vulnerability Detail
https://github.com/sherlock-audit/2023-06-dodo/blob/a8d30e611acc9762029f8756d6a5b81825faf348/new-dodo-v3/contracts/DODOV3MM/D3Pool/D3Maker.sol#L158C1-L178C57
Contract does not check decimal but record the variable directly.
Impact
If maker entered wrong decimal, swap will transfer more or less amount than expected.
Tool Used
Manual Review
Recommandation
In setNewToken function, taking token decimal through token's interface rather than entering by maker.
The text was updated successfully, but these errors were encountered: