talegift
commented
2 years ago Checking this on every call would increase the gas costs. It's also very unlikely to ever change as it would break many more protocols than just ours.
This is a similar kind of risk as trusting that some upgradable proxy of a token we support won't change.
But looking at the code again, we might possibly remove dependence on Chainlink completely by denominating all token prices in ETH instead of USD so this won't be an issue.
Handle
pauliax
Vulnerability details
Impact
The response from the ILinkOracle always assumes 8 decimals: return latestAnswer * 1e10; but it’s never actually checked if the response has 8 decimals using .decimals() function. At some point, the governor might change the number of decimals leading to an incorrect handle of the prices. At this point this is a very theoretical issue but a similar issue in a previous contest was assigned a severity of LOW: https://github.com/code-423n4/2021-04-maple-findings/issues/83 Recommend checking wethOracle.decimals() == 8.
Recommended Mitigation Steps
Consider checking if the response has 8 decimals using .decimals() function.