Open code423n4 opened 2 years ago
Duplicate of #39
I gave this a :heart: along with https://github.com/code-423n4/2022-06-connext-findings/issues/61 because these findings both identified an additional location in the StableSwap
contract where the 18 decimal assumption is hardcoded.
I gave this a ❤️ along with #61 because these findings both identified an additional location in the
StableSwap
contract where the 18 decimal assumption is hardcoded.
Marking as confirmed (and leaving issue open) for this reason. Would be great to merge both findings into 1 issue in the finalized audit.
Assortment of findings across these three issues: https://github.com/code-423n4/2022-06-connext-findings/issues/39 https://github.com/code-423n4/2022-06-connext-findings/issues/61 https://github.com/code-423n4/2022-06-connext-findings/issues/204
Marking this as the primary issue because it highlights an active part of the codebase while other issues do not. initializeSwap
will not be compatible with any token with decimals
greater than 18
.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L99-L115
Vulnerability details
For tokens with decimals larger than 18, many functions across the codebase will revert due to underflow.
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L99-L115
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/facets/StableSwapFacet.sol#L426
Chainlink feeds' with decimals > 18 are not supported neither:
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/helpers/ConnextPriceOracle.sol#L122-L140
Recommendation
Consider checking if decimals > 18 and normalize the value by div the decimals difference.