code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L525-L534 https://github.com/code-423n4/2022-09-canto/blob/65fbb8b9de22cf8f8f3d742b38b4be41ee35c468/src/Swap/BaseV1-periphery.sol#L537-L546

Vulnerability details

Impact

Tokens with token.decimals > 18 will experience precision loss and return an incorrect price

Proof of Concept

return price * 1e18 / decimals;

When token.decimals > 18, the above line will experience precision loss because decimals > 1e18. This precision loss will cause BaseV1-periphery.sol#getPriceCanto and getPriceNote to return an incorrect price.

Tools Used

Recommended Mitigation Steps

Disable oracle functionality on tokens where token.decimals > 18

nivasan1 commented 2 years ago

Chain governance is able to determine which tokens will be supported in the lending market. These are the only tokens whose prices will be calculated from the getUnderlyingPrice method in the router. As such, it is not expected that many tokens with > 18 decimals will be supported. Furthermore, for any noticeable loss of precision resulting from this calculation to exist, the token would need to be worth ~< 1/1000 USD, in which case, it is not clear why it would be supported in the lending market.

0xean commented 2 years ago

downgrading to QA, warden doesn't demonstrate a clear attack path of any significant value to the system with the identified loss or precision.

code-423n4 / 2022-09-canto-findings