Closed code423n4 closed 1 year ago
The price feeds we're using have 18 decimals. For this to underflow, the price would need to be greater than 1e36, which implies 1e36 reserve tokens per OHM. There are no potential reserve assets that we're using with a price that low or with that many token decimals.
downgrading to QA
Lines of code
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Operator.sol#L363-L469
Vulnerability details
Impact
Bond markets cease to work
Proof of Concept
https://github.com/code-423n4/2022-08-olympus/blob/b5e139d732eb4c07102f149fb9426d356af617aa/src/policies/Operator.sol#L375
L375 will underflow and revert when PRICE.decimals()) < priceDecimals.
The price here is already reduced by PRICE.decimals. This means that L375 will underflow when:
Tools Used
Recommended Mitigation Steps
Use an int instead of a uint for oracle scale