search

Fujicracy / fuji-v2

Cross-chain money market aggregator
https://fuji-v2-frontend.vercel.app
15 stars 10 forks source link

oracle: attacker can borrow more than he allowed to #294

Open rajatbeladiya opened 1 year ago

rajatbeladiya commented 1 year ago

Affected smart contract

FujiOracle.sol BorrowingVault.so

Severity

High

Description

chainlink oracle price could return negative value.

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/FujiOracle.sol#L113-L115

here fuji converts int256 latestPrice result to uint256(latestPrice)

suppose it returns -1, then when it will covert to uint256(-1) it will be "115792089237316195423570985008687907853269984665640564039457584007913129639935" large value.

_getUSDPrice price function is internally used in getPriceOf() function, and this function used to _computeMaxBorrow() which was internal function of borrow().

https://github.com/Fujicracy/fuji-v2/blob/50fd0b74ccee1a73a459118e50e044a2bcfacd10/packages/protocol/src/vaults/borrowing/BorrowingVault.sol#L221-L239

Impact: it can gives attacker to borrow large amount of value in exchange of low amount of collateral when oracle returns negative value.

POC

typecast(a) will return 115792089237316195423570985008687907853269984665640564039457584007913129639935 here.

pragma solidity ^0.8.0;

contract Test {

    int a = -1;

    function getValueB() external view returns (uint btemp) {
        btemp = uint(a);
    }

}

Recommendation

check for the return value is negative and if it is negative revert the transaction in _getUSDPrice() function.