Closed c4-bot-3 closed 3 months ago
raymondfam marked the issue as insufficient quality report
uint256(price).div(uint256(basePrice)) is 1e18 scaled unless price
entails decimals different than 8.
raymondfam marked the issue as primary issue
hansfriese marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibOracle.sol#L19-L67
Vulnerability details
Summary
Where the Oracle called is not the
baseOracle
, the values returned are not scaled correctly; leading to either a very large overpricing or very large underpricingVulnerability Details
In the
getOraclePrice()
try
block,baseOracle
returned pricebasePrice
is scaled up from8
to18
decimals, however the same is not done for other oracles. Given that other oracles (e.g. JPY, XAU) will also return8
decimalUSD
price; this means that their returned value will be significantly overpriced.In the
catch
block,twapInv
is an18
decimal value returned fromtwapCircuitBreaker()
which is then multiplied byuint256(price * C.BASE_ORACLE_DECIMALS)
. This equates to(8 dec * 10 dec) * 18 dec
, which will be a36
decimal value and a massive underpricing ofpriceinEth
.Impact
The vastly incorrect pricing of "other" stable assets such as
JPY
andXAU
will lead to easy exploitation; costing users to lose a lot of money and rendering their markets unusable.Tools Used
Manual Review Foundry Testing
Recommendations
Scale up in the
try
block as:Scale down in the
catch
block. First add a new variableETH_DECIMALS = 10 ** 18
toConstants.sol
and use that to scale down in thecatch
block as:Assessed type
Oracle