lucas-manuel
commented
3 years ago We were going to do this manually, we were aware of this issue, but it is a good idea to just add a check. Disagree with severity.
Open code423n4 opened 3 years ago
lucas-manuel
commented
3 years ago We were going to do this manually, we were aware of this issue, but it is a good idea to just add a check. Disagree with severity.
Arachnid
commented
3 years ago Impact would be High if this happened, but the Likelihood is very low. Agree with Severity=Low.
lucas-manuel
commented
3 years ago Ended up not addressing this, will just make sure to check this during asset onboarding.
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The response from the price oracle always assumes 8 decimals (see
PoolLib.convertFromUsd) but it's never checked if the oracle response has 8 decimals using ChainLink's.decimals()function.Impact
At some point, the governor might set up a USD price feed oracle that contains more than 8 decimals leading to inflated prices everywhere.
Recommended Mitigation Steps
Consider checking
_aggregator.decimals() == 8inChainlinkOracleconstructor andchangeAggregator.