the function getPrice may underflow if the mToken decimals was more than 18. this can happen because mToken can be any token with decimals more than 18 and in this case the function getPrice() will underflow and revert.
Proof of Concept
the function getPrice:
function getPrice(MToken mToken) internal view returns (uint256 price) {
EIP20Interface token = EIP20Interface(
MErc20(address(mToken)).underlying()
);
if (prices[address(token)] != 0) {
price = prices[address(token)];
} else {
//add return here
price = getChainlinkPrice(getFeed(token.symbol()));
}
/**
@audit underflow may happen, some tokens have more than 18 tokens
*/
uint256 decimalDelta = uint256(18).sub(uint256(token.decimals()));
// Ensure that we don't multiply the result by 0
if (decimalDelta > 0) {
return price.mul(10 ** decimalDelta);
} else {
return price;
}
}
the function will get the decimal delta using the token decimals which can be more than 18 and cause underflow.
Tools Used
manual review
Recommended Mitigation Steps
recommend to add check for token.decimals <= 18 to avoid underflow
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L85
Vulnerability details
Impact
the function
getPrice
may underflow if the mToken decimals was more than 18. this can happen because mToken can be any token with decimals more than 18 and in this case the functiongetPrice()
will underflow and revert.Proof of Concept
the function
getPrice
:the function will get the decimal delta using the token decimals which can be more than 18 and cause underflow.
Tools Used
manual review
Recommended Mitigation Steps
recommend to add check for
token.decimals <= 18
to avoid underflowAssessed type
Decimal