search

sherlock-audit / 2022-09-notional-judging

4 stars 2 forks source link

Chom - TradingModule getOraclePrice is not supporting token with decimals != 18 #131

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Chom

medium

TradingModule getOraclePrice is not supporting token with decimals != 18

Summary

TradingModule getOraclePrice is not supporting decimals != 18

Vulnerability Detail

        answer =
            (basePrice * quoteDecimals * RATE_DECIMALS) /
            (quotePrice * baseDecimals);
        decimals = RATE_DECIMALS;

RATE_DECIMALS is fixed to 18

Impact

getOraclePrice is not supporting token with decimals != 18

Code Snippet

https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/trading/TradingModule.sol#L228-L231

Tool used

Manual Review

Recommendation

it should use baseOracle.rateDecimals instead of RATE_DECIMALS

        answer =
            (basePrice * quoteDecimals * baseOracle.rateDecimals) /
            (quotePrice * baseDecimals);
        decimals = baseOracle.rateDecimals;
jeffywu commented 1 year ago

This looks like a valid issue

jeffywu commented 1 year ago

@Evert0x, sorry I misread the issue. This is in fact invalid. The trading module always scales exchange rates to 1e18 regardless of token decimals.