Open code423n4 opened 1 year ago
0xSorryNotSorry marked the issue as primary issue
comment differs from implementation, see code
ElliotFriedman marked the issue as sponsor disputed
Downgraded to QA, please fix the comment.
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L97-L114
Vulnerability details
Proof of Concept
The
getChainlinkPrice()
function in the ChainlinkOracle contract assumes that all USD-denominated feeds store answers at 8 decimals and assumes that all assets has 18 decimal places.However, there are some USD-denominated feeds that do not return 8 decimals and some assets that do not have 18 decimal places. For example, the USDC/USD feed returns 8 decimal places but USDC has 6 decimal places. The USDC token will return 18 decimal places instead of 6 decimal places
USDC/USD feed: https://etherscan.io/address/0x8fffffd4afb6115b954bd326cbe7b4ba576818f6#readContract
Impact
The returned price can be inflated by 12 decimal places.
Tools Used
Manual Review
Recommended Mitigation Steps
Do not assume that all assets in the Chainlink USD-denominated feeds return 18 decimals. Check each asset's decimal places before swapping to 18 decimal places.
Assessed type
Decimal