sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

PawelK - Incorrect `price` returned in `_getSwapResult` for `USDT/USD1` #102

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

PawelK

medium

Incorrect price returned in _getSwapResult for USDT/USD1

Summary

Incorrect price returned in _getSwapResult for USDT/USD1

Vulnerability Detail

Price when priceQuoteToken is tokenIn is calculated as price = request.priceBase * request.priceBase / price;, but this stands true only for tokens with same decimals places. Assuming usdt is eqaul do usd1, when tokenIn=usdt, and tokenOut=usd1, the result is that priceQuoteToken is usdt, priceBase is 1e18, and price is 1e18. But the priceBase of usdt should be 1e6(that doesn't matter because priceBase is not used anywhere after _calculateSwapResult), and the price should be 1e6. The result is that the event price is emitted incorrectly.

Impact

Incorrect price calculated, and the wrong event emitted.

Code Snippet

current code look like this

    if (tokenIn == priceQuoteToken) {
            // The base currency of oracle price is USD1, inverts the price when buying USD1
            price = request.priceBase * request.priceBase / price;
    }

Tool used

Manual Review

Recommendation

Correct code should look like this

 if (tokenIn == priceQuoteToken) {
      // The base currency of oracle price is USD1, inverts the price when buying USD1
     price = IERC20Token(tokenIn).decimals() * request.priceBase / price;
  }