Skip to main content

Overview

Dashboard

Analysis

Smart Contracts
Wallets

Studio

EVM Studio
SVM Studio
ZK Studio

Fuzzing

EVM Fuzzing
SVM Fuzzing

Forensics

Network Monitor
Upgrade Simulator
Dependency Map
Run Comparison

Cryptography

Noir Circuits
Circom Circuits
Leo (Aleo)
Cairo (StarkNet)

Exploit Database
Knowledge Base
Blog
Research

Resources
Knowledge Base
Remediation Evm Decimal Mismatch

Contract or wallet address

Detecting Address Type

Checking on-chain data...

Detection Failed

Could not determine address type.

EVM Remediation March 9, 2026 1 min read

Remediating Decimal Mismatch

How to normalize token decimal precision before arithmetic to prevent over/under-payment vulnerabilities.

evminteger-overflow

Remediating Decimal Mismatch

Overview

Related Detector: Decimal Mismatch

Always normalize values to a common decimal base before performing arithmetic across different tokens or price feeds.

Recommended Fix

Before (Vulnerable)

function getValueInUsdc(uint256 ethAmount) public view returns (uint256) {
    (, int256 price,,,) = ethUsdFeed.latestRoundData(); // 8 decimals
    return ethAmount * uint256(price); // 18 + 8 = 26 decimals — not USDC's 6
}

After (Fixed)

function getValueInUsdc(uint256 ethAmount) public view returns (uint256) {
    (, int256 price,,,) = ethUsdFeed.latestRoundData(); // 8 decimals
    // Normalize: 18 (ETH) + 8 (price) - 6 (USDC) = 20 excess decimals
    return (ethAmount * uint256(price)) / 1e20;
}

Alternative Mitigations

Internal precision: Use a high-precision internal representation (e.g., 27 decimals like RAY in MakerDAO) and convert at boundaries.
Token decimals lookup: Query token.decimals() at initialization and store the scaling factor.

Common Mistakes

Hardcoding decimal assumptions: Assuming all tokens use 18 decimals. USDC/USDT use 6, WBTC uses 8.
Ignoring oracle decimals: Chainlink feeds return 8 decimals for USD pairs but 18 for ETH pairs.

References

EIP-20: ERC-20 Token Standard
Chainlink Price Feed Decimals

Related Articles

Decimal Mismatch

Detects arithmetic operations that mix values with different decimal precision without normalization, causing massive over- or under-payments.

Back to Knowledge Base

Sign in to access the knowledge base

Use the Sign In button in the navigation bar.

Advanced bytecode decompilation and security analysis across multiple runtimes. Detect vulnerabilities, exploits, and reverse-engineer smart contracts directly on-chain.

Contact Us

Product

Features
How It Works
Pricing

Resources

Knowledge Base
Research
Blog

Company

About
Contact
Security

Legal

Terms of Service
Privacy Policy
Cookie Policy
Acceptable Use

© 2026 Sigvex. All rights reserved.

Built for developers, by developers.

Navigation

Overview

Dashboard

Analysis

Smart Contracts
Wallets

Studio

EVM Studio
SVM Studio
ZK Studio

Fuzzing

EVM Fuzzing
SVM Fuzzing

Forensics

Network Monitor
Upgrade Simulator
Dependency Map
Run Comparison

Cryptography

Noir Circuits
Circom Circuits
Leo (Aleo)
Cairo (StarkNet)

Resources

Exploit Database
Knowledge Base
Blog
Research

Keyboard Shortcuts

Global

Ctrl+P

Open command palette (search mode)

Ctrl+Shift+P

Open command palette (command mode)

Ctrl+/

View keyboard shortcuts

Esc

Close modal or dialog

Command Palette

↑ ↓

Navigate items

Enter

Select item

Tab

Toggle search/command mode

Navigation

G then D

Go to Dashboard

G then A

Go to Analyze

G then T

Go to Smart Contracts

Studio View

1 - 6

Switch between views (1=Disassembly, 2=Decompiler, 3=Hex, etc.)

Ctrl+F

Search in current view

On Mac, use Cmd instead of Ctrl

Step 1 of 6

Welcome to Sigvex

Let's take a quick tour to help you get started with multi-runtime blockchain security analysis.