Open code423n4 opened 1 year ago
seems invalid
“8 decimals for USD” and “18 decimals for ETH”
whether to add AMPL pool is up to the admin
141345 marked the issue as primary issue
Keref marked the issue as sponsor disputed
gzeon-c4 changed the severity to QA (Quality Assurance)
gzeon-c4 marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/4b785d455fff04629d8675f21ef1d1632749b252/contracts/helper/LPOracle.sol#L67-L104
Vulnerability details
Summary
The protocol bases its price calculations on Chainlink pricefeeds to always have 8 decimals. However, Chainlink pricefeeds with 18 decimals do exist and break the calculations.
Proof of Concept
Github Link
When a pricefeed with 18 decimals is used, for example AMPL / USD feed decimals are 18, the
uint val
calculation would be completed distorted since it would become10**(18-18) = 1
and provide an output magnitudes smaller than the actual price.Impact
A distortion of oracle price calculations leads to incorrect value assessments and losses to the users of the protocol.
Tools Used
Manual review
Recommendations
Adapt the logic to account for varying amounts of decimal tokens.
Assessed type
Decimal