Incorrect price precision in RdpxV2Core

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L1240-L1241

Vulnerability details

Impact

The core contract expects the price oracle to return 1e8 precision, but its actually 1e18. This will cause heavily incorrect results from all usages of the price.

Proof of Concept

The RdpxV2Core.getRdpxPrice function is meant to return 1e8 precision:

   * @notice Returns the price of rDPX against ETH
   * @dev    Price is in 1e8 Precision
   * @return rdpxPriceInEth rDPX price in ETH
   **/
  function getRdpxPrice() public view returns (uint256) {
    return
      IRdpxEthOracle(pricingOracleAddresses.rdpxPriceOracle)
        .getRdpxPriceInEth();
  }

It can be seen that the value of IRdpxEthOracle is returned unchanged. Now looking at the implementation of RdpxEthOracle.getRdpxPriceInEth:

/// @notice Returns the price of rDPX in ETH
/// @return price price of rDPX in ETH in 1e18 decimals
//@tagged RdpxV2Core.bondWithDelegate
function getRdpxPriceInEth() external view override returns (uint price) {
    require(
        blockTimestampLast + timePeriod + nonUpdateTolerance >
            block.timestamp,
        "RdpxEthOracle: UPDATE_TOLERANCE_EXCEEDED"
    );

    price = consult(token0, 1e18);

    require(price > 0, "RdpxEthOracle: PRICE_ZERO");
}

As can be seen, the precision is 1e18.

Tools Used

Manual Review

Recommended Mitigation Steps

Divide the result from getRdpxPriceInEth by 1e10 to get 1e8 precision

Assessed type

Other

[c4-pre-sort]

bytes032 marked the issue as duplicate of #549

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-judge]

GalloDaSballo marked the issue as satisfactory

[c4-judge]

GalloDaSballo changed the severity to 2 (Med Risk)

[c4-judge]

GalloDaSballo changed the severity to 3 (High Risk)