search

code-423n4 / 2023-07-moonwell-findings

1 stars 0 forks source link

no chance for use token which has decimals more than 18 #140

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L74-L92

Vulnerability details

Impact

Protocol cannot use as tokens which has decimals more than 18 as mToken colleteral because oracle revert when getprice due to 18-decimals will cause arithmetic overflow.

Proof of Concept

Tools Used

manuel review

Recommended Mitigation Steps

instead of this : uint256 decimalDelta = uint256(18).sub(uint256(token.decimals())); // Ensure that we don't multiply the result by 0 if (decimalDelta > 0) { return price.mul(10 decimalDelta); } else { return price; } use this: if (token.decimals()>18){ return price.mul(10(token.decimals()-18);

    }
    else if(token.decimals()<18){
        return price.mul(10**(18-token.deciamls());
    }
    else{
        return price;
    }

Assessed type

Decimal

c4-pre-sort commented 1 year ago

0xSorryNotSorry marked the issue as duplicate of #270

c4-judge commented 1 year ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

alcueca marked the issue as grade-a