With chainlinkPriceX96 type is uint256, suppose referenceTokenDecimals = 18 then this will overflow if
chainlinkPriceX96 >= 2**256/(Q96* 10**18) => chainlinkPrice >= 2**256(Q96 * Q96 * 10**18)
=> chainlinkPrice > 18.4. This is totally possible if the input token is ETH and ETH/USDC feed is used (ETH price is much larger than 18.4 USDC)
In the previous example, this updated code can only overflow if chainlinkPrice > 2**256/(Q96*Q96*10**10) (because referenceTokenDecimals = 18 and feedConfig.tokenDecimals = 8)
or chainlinkPrice > 1844674407 (1.8 billions USD), which is far above reasonable values.
This implementation is also recommended by chainlink doc
Lines of code
Vulnerability details
C4 issue
M-07: Large decimal of referenceToken causes overflow at oracle price calculation
Comments
The original implementation to scale chainlink price with reference token is as follows:
With
chainlinkPriceX96
type isuint256
, supposereferenceTokenDecimals = 18
then this will overflow ifchainlinkPriceX96 >= 2**256/(Q96* 10**18)
=>chainlinkPrice >= 2**256(Q96 * Q96 * 10**18)
=>chainlinkPrice > 18.4
. This is totally possible if the input token is ETH and ETH/USDC feed is used (ETH price is much larger than 18.4 USDC)Mitigation
PR #21
In the mitigated code, the calculation is updated to:
In the previous example, this updated code can only overflow if
chainlinkPrice > 2**256/(Q96*Q96*10**10)
(because referenceTokenDecimals = 18 and feedConfig.tokenDecimals = 8) orchainlinkPrice > 1844674407
(1.8 billions USD), which is far above reasonable values.This implementation is also recommended by chainlink doc
The mitigation resolved the original issue.
Conclusion
LGTM