A hardcoded scaleFactor can result to increased/decreased price answers during getChainlinkOraclePrice
Proof of Concept
Currently, the scaleFactor gets calculated and setted during _setFTokenToChainlinkOracle for the corresponding token.
During the getChainlinkOraclePrice function it then multiplies the answer by chainlinkInfo.scaleFactor.
However, if the decimals within the oracle change for whatever reason (upgradeability, malicious admin, compromised private keys, etc) this will result in an inflated / deflated return value which will most probably lead to a loss of user funds.
Due to the low likelyhood of this issue happening but the high impact, this will just be raised as medium instead of high.
Tools Used
VSCode
Recommended Mitigation Steps
Consider recalculating the scaleFacto during getChainlinkOraclePrice in order to ensure that the returned value matches the desired output.
*We acknowledge that upgradeability risks are out of scope for this contest. However, due to the fact that this issue can be easily fixed we still believe that this submission would be valuable for the sponsor.
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracleV2.sol#L260
Vulnerability details
Impact
A hardcoded
scaleFactor
can result to increased/decreased price answers duringgetChainlinkOraclePrice
Proof of Concept
Currently, the
scaleFactor
gets calculated and setted during_setFTokenToChainlinkOracle
for the corresponding token.During the
getChainlinkOraclePrice
function it then multiplies theanswer
bychainlinkInfo.scaleFactor
.However, if the decimals within the oracle change for whatever reason (upgradeability, malicious admin, compromised private keys, etc) this will result in an inflated / deflated return value which will most probably lead to a loss of user funds.
Due to the low likelyhood of this issue happening but the high impact, this will just be raised as medium instead of high.
Tools Used
VSCode
Recommended Mitigation Steps
Consider recalculating the
scaleFacto
duringgetChainlinkOraclePrice
in order to ensure that the returned value matches the desired output.This can be done as follows:
*We acknowledge that upgradeability risks are out of scope for this contest. However, due to the fact that this issue can be easily fixed we still believe that this submission would be valuable for the sponsor.