Open c4-submissions opened 1 year ago
poolMatchesOracle scales with sqrtPriceX96 divided by 2 ** 12 when calculating priceX8 to avoid overflow, but overflow still occurs. As mentioned in the report, such as WBTC / WETH token pair.
sqrtPriceX96
2 ** 12
priceX8
WBTC / WETH
uint256 sqrtP = FullMath.mulDiv(sqrtPrice, 10 ** token0Decimals, Q96); priceX8 = FullMath.mulDiv(sqrtP, sqrtP, 10 ** token0Decimals);
By using Q96 to scale and avoid overflow issues in fix.
After actual testing, this does avoid the overflow problem:
// SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.13; import {Test, console2} from "forge-std/Test.sol"; contract PriceTest is Test { uint256 constant Q96 = 0x1000000000000000000000000; function testOraclePrice() public { uint160 sqrtPriceX96 = 31520141554881197083247204479961147; uint256 token0Decimals = 8; uint256 sqrtPrice = uint256(sqrtPriceX96); uint256 sqrtP = sqrtPrice * 10 ** token0Decimals / Q96; uint priceX8 = sqrtP * sqrtP / 10 ** token0Decimals; } }
LGTM
gzeon-c4 marked the issue as confirmed for report
gzeon-c4 marked the issue as satisfactory
Lines of code
Vulnerability details
Comments
poolMatchesOracle scales with
sqrtPriceX96
divided by2 ** 12
when calculatingpriceX8
to avoid overflow, but overflow still occurs. As mentioned in the report, such asWBTC / WETH
token pair.Mitigation
By using Q96 to scale and avoid overflow issues in fix.
Test
After actual testing, this does avoid the overflow problem:
Conclusion
LGTM