search

sherlock-audit / 2023-02-blueberry-judging

12 stars 5 forks source link

cducrest-brainbot - UniswapV2Oracle fails for pairs of token with more than 18 decimals #317

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

cducrest-brainbot

medium

UniswapV2Oracle fails for pairs of token with more than 18 decimals

Summary

The UniswapV2Oracle fails to get the price for pair of tokens that exceed 36 decimals together.

Vulnerability Detail

The calculation for getPrice within the oracle uses 10**(36 - t0Decimal - t1Decimal) to account for tokens having different decimals. This will underflow and revert if t0Decimal + t1Decimal > 36 which could be the case for tokens using more than 18 decimals.

The protocol gives a list of "currently" supported tokens but seems to suggest that other tokens could be added in the future. We can imagine tokens with more than 18 decimals could be added and make the oracle fail.

Impact

Tokens with more than 18 decimals cannot be added to use the UniswapV2Oracle. Depending on how the protocol evolve, it could be that these tokens are mistakenly added and use the UniswapV2Oracle, counting as 0 towards the value of debt or collateral of the users.

Code Snippet

Uniswapv2Oracle getPrice function:

https://github.com/sherlock-audit/2023-02-blueberry/blob/main/contracts/oracle/UniswapV2Oracle.sol#L20-L38

Tool used

Manual Review

Recommendation

Ensure tokens have less than 18 decimals when whitelisted in BlueBerryBank.sol or rethink calculation.