here fuji converts int256 latestPrice result to uint256(latestPrice)
suppose it returns -1, then when it will covert to uint256(-1) it will be "115792089237316195423570985008687907853269984665640564039457584007913129639935" large value.
_getUSDPrice price function is internally used in getPriceOf() function, and this function used to _computeMaxBorrow() which was internal function of borrow().
Affected smart contract
FujiOracle.sol BorrowingVault.so
Severity
High
Description
chainlink oracle price could return negative value.
https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/FujiOracle.sol#L113-L115
here fuji converts
int256 latestPrice
result touint256(latestPrice)
suppose it returns -1, then when it will covert to uint256(-1) it will be "115792089237316195423570985008687907853269984665640564039457584007913129639935" large value.
_getUSDPrice
price function is internally used ingetPriceOf()
function, and this function used to_computeMaxBorrow()
which was internal function ofborrow()
.https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L221-L239
Impact: it can gives attacker to borrow large amount of value in exchange of low amount of collateral when oracle returns negative value.
POC
typecast(a)
will return115792089237316195423570985008687907853269984665640564039457584007913129639935
here.Recommendation
check for the return value is negative and if it is negative revert the transaction in
_getUSDPrice()
function.