the `getPrice()` in ` function did not support mTokens with more than 18 decimals

[code423n4]

Lines of code

https://github.com/code-423n4/2023-07-moonwell/blob/fced18035107a345c31c9a9497d0da09105df4df/src/core/Oracles/ChainlinkOracle.sol#L85

Vulnerability details

Impact

the function getPrice may underflow if the mToken decimals was more than 18. this can happen because mToken can be any token with decimals more than 18 and in this case the function getPrice() will underflow and revert.

Proof of Concept

the function getPrice:

    function getPrice(MToken mToken) internal view returns (uint256 price) {
        EIP20Interface token = EIP20Interface(
            MErc20(address(mToken)).underlying()
        );

        if (prices[address(token)] != 0) {
            price = prices[address(token)];
        } else {
            //add return here
            price = getChainlinkPrice(getFeed(token.symbol()));
        }
        /**
        @audit underflow may happen, some tokens have more than 18 tokens
        */
        uint256 decimalDelta = uint256(18).sub(uint256(token.decimals()));
        // Ensure that we don't multiply the result by 0
        if (decimalDelta > 0) {
            return price.mul(10 ** decimalDelta);
        } else {
            return price;
        }
    }

the function will get the decimal delta using the token decimals which can be more than 18 and cause underflow.

Tools Used

manual review

Recommended Mitigation Steps

recommend to add check for token.decimals <= 18 to avoid underflow

Assessed type

Decimal

[0xSorryNotSorry]

The function can't underflow but will return the price.

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #270

[c4-judge]

alcueca changed the severity to QA (Quality Assurance)

[c4-judge]

alcueca marked the issue as grade-a