search

DyadStablecoin / contracts-v3

A fundamentally new DeFi primitive. Launching Soon™.
https://twitter.com/0xDYAD
3 stars 1 forks source link

[M-01] Price feed is hard-coded to 8 dp but oracle is Chainlink aggregator #39

Open IAm0x52 opened 1 year ago

IAm0x52 commented 1 year ago

Summary

The oracle use to price Ethereum is a Chainlink aggregator proxy, meaning that the underlying oracle contract can be upgraded at any time, changing the number of decimals.

Proof of Concept

AggregatorProxy.sol#L355-L360

function proposeAggregator(address _aggregator)
  external
  onlyOwner()
{
  proposedAggregator = AggregatorV2V3Interface(_aggregator);
}

Aggregator proxy can be updated at any time by owner. This means that the decimals of the aggregator can be change. All price calculations are hard coded for 8 dp and there is no way to change the oracle. The result of this is that a change in decimals would be catastrophic to DNFT.sol.

Recommendation

Use oracle.decimals() in place of 1e8 when calculating price

shafu0x commented 1 year ago

@IAm0x52 should be fixed by this https://github.com/DyadStablecoin/contracts-v3/pull/40

IAm0x52 commented 1 year ago

@shafu0x changes look good