Closed code423n4 closed 1 year ago
0xean marked the issue as duplicate
0xean marked the issue as not a duplicate
0xean marked the issue as duplicate of #526
0xean marked the issue as not a duplicate
0xean marked the issue as duplicate of #540
Issue marked as satisfactory as requested by 0xean
Simon-Busch marked the issue as duplicate of #533
Lines of code
https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/Oracle.sol#L87 https://github.com/code-423n4/2022-10-inverse/blob/cc281e5800d5860c816138980f08b84225e430fe/src/Oracle.sol#L121
Vulnerability details
Proof of Concept
Chainlink price feeds usually have 18 decimals, but this is not guaranteed. Also tokens usually have 18 decimals or less but this is also not the case for 100% of widely used tokens (
YAM-v2
has 24).So the normal use case is when both the feed an the token have 18 decimals or less. There are three options when the following code will revert
feedDecimals
to be 18, buttokenDecimals
to be >18tokenDecimals
to be 18, butfeedDecimals
to be >18tokenDecimals + feedDecimals > 36
If some of the examples are the case, then the
viewPrice()
andgetPrice()
functions inOracle.sol
will always revert because of the uint underflow, resulting in all of the protocol functions being in a DoS state.Impact
The impact is 100% malfunctioning of the protocol, but it will happen only under some
Market
collateral circumstances, hence the Medium severity.Recommendation
When adding a new token and price feed in
Oracle.sol
add arequire
statement that makes suretokenDecimals + feedDecimals <= 36