code4rena-2023-12-shell-protocol-l07
[L-07] Comments on ERC20Wrap is misleading
Summary
주석이 헷갈리게 써 놓았다.
Keyword
clean code
Vulnerability
ERC20Wrap 할 때, amount 파라미터는 유저가 받을 Ocean 토큰의 수이다. 유저가 줘야하는 ERC20 토큰의 수가 아니다. 하지만 주석에서는 이를 헷갈리게 써놓았다.
@> * @param amount amount of the ERC-20 token to be wrapped, in terms of
* 18-decimal fixed point
* @param userAddress the address of the user who is wrapping the token
*/
@> function _erc20Wrap(address tokenAddress, uint256 amount, address userAddress, uint256 outputToken) private {
try IERC20Metadata(tokenAddress).decimals() returns (uint8 decimals) {
/// @dev the amount passed as an argument to the external token
uint256 transferAmount;
/// @dev the leftover amount accumulated by the Ocean.
uint256 dust;
@> (transferAmount, dust) = _determineTransferAmount(amount, decimals);
// If the user is unwrapping a delta, the residual dust could be
// written to the user's ledger balance. However, it costs the
// same amount of gas to place the dust on the owner's balance,
// and accumulation of dust may eventually result in
// transferrable units again.
_grantFeeToOcean(outputToken, dust);
@> SafeERC20.safeTransferFrom(IERC20(tokenAddress), userAddress, address(this), transferAmount);
emit Erc20Wrap(tokenAddress, transferAmount, amount, dust, userAddress, outputToken);
} catch {
revert NO_DECIMAL_METHOD();
}
}Impact
주석이 잘못된 정보를 제공할 수 있다.
Mitigation
주석을 명확하게 수정한다.
tags: bughunting, shell protocol, smart contract, solidity, clean code, severity low