`TWAPOracle.getRate` does not scale the ratio

[code423n4]

Handle

cmichel

Vulnerability details

The TWAPOracle.getRate function simply performs an integer division to compute the rate.

function getRate() public view returns (uint256 result) {
    uint256 tUSDInUSDV = consult(USDV);
    uint256 tUSDInVader = consult(VADER);
    // @audit shouldn't this scale by 1e18 first? otherwise easily 0
    result = tUSDInUSDV / tUSDInVader;
}

It should first be scaled by some value, for example, 1e18.

Impact

The rate has no decimal precision and if tUSDInVader > tUSDInUSDV, the rate will always be zero.

The usdvtoVader and vaderToUsdv functions will return incorrect values.

Recommended Mitigation Steps

// return as a rate with 18 decimals instead
result = tUSDInUSDV * 1e18 / tUSDInVader;

[SamSteinGG]

The TWAP oracle module has been completely removed and redesigned from scratch as LBTwap that is subject of the new audit.