search

sherlock-audit / 2023-07-perennial-judging

2 stars 1 forks source link

minhtrng - Incorrect price calculation in PythOracle #171

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

minhtrng

high

Incorrect price calculation in PythOracle

Summary

The price calculation in PythOracle is incorrect and can lead to prices being many orders of magnitudes higher than their actual price.

Vulnerability Detail

PythOracle._recordPrice performs the following calculation:

_prices[oracleVersion] = Fixed6Lib.from(price.price)
    .mul(Fixed6Lib.from(SafeCast.toInt256(10 ** SafeCast.toUint256(price.expo > 0 ? price.expo : -price.expo))));

The problem is that if the exponent is negative a division by 10^(abs(expo)) should be performed rather than a multiplication. See PythNetwork-docs

Impact

prices used for calculation in the protocol differ hugely from the prices reported by the oracle.

Code Snippet

https://github.com/sherlock-audit/2023-07-perennial/blob/c2f6141c231d3952898ea47793872cac69a1d2af/perennial-v2/packages/perennial-oracle/contracts/pyth/PythOracle.sol#L203

Tool used

Manual Review

Recommendation

Perform a division by 10^(abs(expo)) if expo is negative

Duplicate of #56

sherlock-admin commented 1 year ago

2 comment(s) were left on this issue during the judging contest.

141345 commented:

d

YakuzaKiawe commented:

The protocol needs to convert the expo to uint256 and when you divide it with 10**expo i.e. negative value of expo it could be converted to 0 by floor division