Open code423n4 opened 3 years ago
Disagree with severity as while the statement that the underlying decimals of the oracles could be anything, we will be using production Chainlink feeds for which the decimals are known at the time of deploy.
This is still however an issue as you don't want someone using different oracles (eg non Chainlink) that have different underlying decimals and not realising that this contract will not support that.
Closed by accident
Marking this a high-risk issue as it poses a big threat to users deploying their own markets
Handle
cmichel
Vulnerability details
The
GasOracle
uses two chainlink oracles (GAS in ETH with some decimals, USD per ETH with some decimals) and multiplies their raw return values to get the gas price in USD.However, the scaling depends on the underlying decimals of the two oracles and could be anything. But the code assumes it's in 18 decimals.
There is a
toWad
function that seems to involve scaling but it is never used.Impact**
If the scale is wrong, the gas price can be heavily inflated or under-reported.
Recommended Mitigation Steps
Check
chainlink.decimals()
to know the decimals of the oracle answers and scale the answers to 18 decimals such that no matter the decimals of the underlying oracles, thelatestAnswer
function always returns the answer in 18 decimals.