search

code-423n4 / 2023-01-ondo-findings

0 stars 0 forks source link

`OndoPriceOracleV2` uses hardcoded `scaleFactor` #251

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/OndoPriceOracleV2.sol#L260

Vulnerability details

Impact

A hardcoded scaleFactor can result to increased/decreased price answers during getChainlinkOraclePrice

Proof of Concept

Currently, the scaleFactor gets calculated and setted during _setFTokenToChainlinkOracle for the corresponding token.

During the getChainlinkOraclePrice function it then multiplies the answer by chainlinkInfo.scaleFactor.

However, if the decimals within the oracle change for whatever reason (upgradeability, malicious admin, compromised private keys, etc) this will result in an inflated / deflated return value which will most probably lead to a loss of user funds.

Due to the low likelyhood of this issue happening but the high impact, this will just be raised as medium instead of high.

Tools Used

VSCode

Recommended Mitigation Steps

Consider recalculating the scaleFacto during getChainlinkOraclePrice in order to ensure that the returned value matches the desired output.

This can be done as follows:

uint256(answer) * (10 ** (36 - uint256(AggregatorV3Interface(chainlinkInfo).decimals()) - uint256(IERC20Like(underlying).decimals())))

*We acknowledge that upgradeability risks are out of scope for this contest. However, due to the fact that this issue can be easily fixed we still believe that this submission would be valuable for the sponsor.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2023-01-ondo-findings/issues/318

c4-judge commented 1 year ago

trust1995 marked the issue as grade-b