Open hats-bug-reporter[bot] opened 1 year ago
I apologize, there is a typo in the hand calculation, it should be:
price
= (25_000 1e6 / 1e8) (1e16) = 2.5 * 1e18
Hello, Thanks a lot for your attention. You are absolutely right, we miscalculated the Univ2 price... That's a good catch, so thanks a lot for this finding. It will be very unlikely that an exploiter use this miscalculation to have a better discount on our bonds...even if the delta check will protect us from that. In conclusion we agree with you that this finding is a MEDIUM, congrats.
Github username: @bahurum Submission hash (on-chain): 0x7ede3495d562581e385efabb22d3effb5a1af1814ee65563eba6787760ba2988 Severity: medium
Description: Description\
_getV2Price()
inCvgOracle
can return an incorrect price if the tokens in the pool do not have the same decimals.Attack Scenario\ Consider a WBTC/USDC pool, where WBTC is
token0
. If the price of BTC is 25_000 USD, then the reserves will bereserves WBTC = 1e8
reserves USDC = 25_000 * 1e6
reserve0 < reserve1
, soprice
= (25_000 1e6 / 1e8) (1e16) = 2.5running the coded PoC attached returns:
which confirms the issue.
This will make the oracle call fail when checking against the chainlink price of the asset.
Recommendation Normalize the reserves to 18 decimals before dividing to obtain the price:
Attachments
Files: