Possible division by zero depending on TradingModule.getOraclePrice return values
Summary
Some functions depending on TradingModule.getOraclePrice accept non-negative (int256 answer, int256 decimals) return values. In case any of those are equal to zero, division depending on answer or decimals will revert. In the worst case scenario, this will prevent the protocol from continuing operating.
Vulnerability Detail
The function TradingModule.getOraclePrice properly validates that return values from Chainlink price feeds arepositive.
Nevertheless, answer may currently return zero, as it is calculated as(basePrice * quoteDecimals * RATE_DECIMALS) / (quotePrice * baseDecimals);, which can be truncated down to zero, depending on base/quote prices [1]. Additionally, decimals may in the future return zero, depending on changes to the protocol code, as the NatSpec states that this is a number of decimals in the rate, currently hardcoded to 1e18 [2].
If any of these return values are zero, calculations that use division depending on TradingModule.getOraclePrice will revert.
In the worst case, the protocol might stop operating.
Albeit unlikely that decimals is ever zero, since currently this is a hardcoded value, it is possible that answer might be zero due to round-down performed by the division in TradingModule.getOraclePrice. This can happen if the quote token is much more expensive than the base token. In this case, TradingModule.getLimitAmount and depending calls, such as TradingModule.executeTradeWithDynamicSlippage might revert.
Validate that the return values are strictly positive (instead of non-negative) in case depending function calculations may result in division by zero. This can be either done on TradingModule.getOraclePrice directly or on the depending functions.
MalfurionWhitehat
medium
Possible division by zero depending on
TradingModule.getOraclePrice
return valuesSummary
Some functions depending on
TradingModule.getOraclePrice
accept non-negative(int256 answer, int256 decimals)
return values. In case any of those are equal to zero, division depending onanswer
ordecimals
will revert. In the worst case scenario, this will prevent the protocol from continuing operating.Vulnerability Detail
The function
TradingModule.getOraclePrice
properly validates that return values from Chainlink price feeds are positive.Nevertheless,
answer
may currently return zero, as it is calculated as(basePrice * quoteDecimals * RATE_DECIMALS) / (quotePrice * baseDecimals);
, which can be truncated down to zero, depending on base/quote prices [1]. Additionally,decimals
may in the future return zero, depending on changes to the protocol code, as the NatSpec states that this is anumber of decimals in the rate, currently hardcoded to 1e18
[2].If any of these return values are zero, calculations that use division depending on
TradingModule.getOraclePrice
will revert.More specifically:
[1]
1.1
TradingModule.getLimitAmount
that calls
TradingUtils._getLimitAmount
, which reverts iforaclePrice
is0
[2] 2.1
TwoTokenPoolUtils._getOraclePairPrice
2.2
TradingModule.getLimitAmount
that calls
TradingUtils._getLimitAmount
, which reverts iforacleDecimals
is0
2.3
CrossCurrencyfCashVault.convertStrategyToUnderlying
Impact
In the worst case, the protocol might stop operating.
Albeit unlikely that
decimals
is ever zero, since currently this is a hardcoded value, it is possible thatanswer
might be zero due to round-down performed by the division inTradingModule.getOraclePrice
. This can happen if the quote token is much more expensive than the base token. In this case,TradingModule.getLimitAmount
and depending calls, such asTradingModule.executeTradeWithDynamicSlippage
might revert.Code Snippet
Tool used
Manual Review
Recommendation
Validate that the return values are strictly positive (instead of non-negative) in case depending function calculations may result in division by zero. This can be either done on
TradingModule.getOraclePrice
directly or on the depending functions.