search

code-423n4 / 2023-09-goodentry-mitigation-findings

0 stars 0 forks source link

H-03 MitigationConfirmed #30

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Comments

poolMatchesOracle scales with sqrtPriceX96 divided by 2 ** 12 when calculating priceX8 to avoid overflow, but overflow still occurs. As mentioned in the report, such as WBTC / WETH token pair.

Mitigation

        uint256 sqrtP = FullMath.mulDiv(sqrtPrice, 10 ** token0Decimals, Q96);
        priceX8 = FullMath.mulDiv(sqrtP, sqrtP, 10 ** token0Decimals);

By using Q96 to scale and avoid overflow issues in fix.

Test

After actual testing, this does avoid the overflow problem:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import {Test, console2} from "forge-std/Test.sol";

contract PriceTest is Test {
    uint256 constant Q96 = 0x1000000000000000000000000;

    function testOraclePrice() public {
        uint160 sqrtPriceX96 = 31520141554881197083247204479961147;
        uint256 token0Decimals = 8;

        uint256 sqrtPrice = uint256(sqrtPriceX96);
        uint256 sqrtP = sqrtPrice * 10 ** token0Decimals / Q96;
        uint priceX8 = sqrtP * sqrtP / 10 ** token0Decimals;
    }
}

Conclusion

LGTM

c4-judge commented 12 months ago

gzeon-c4 marked the issue as confirmed for report

c4-judge commented 12 months ago

gzeon-c4 marked the issue as satisfactory