Closed sherlock-admin2 closed 6 months ago
tvdung94
high
BunniPrice::getBunniTokenPrice() returns incorrect price
BunniPrice::getBunniTokenPrice() incorrectly returns the whole value of bunni token instead of price.
function getBunniTokenPrice( address bunniToken_, uint8 outputDecimals_, bytes calldata params_ ) external view returns (uint256) { // Decode the parameters BunniParams memory params; { params = abi.decode(params_, (BunniParams)); if (params.bunniLens == address(0)) { revert BunniPrice_Params_InvalidBunniLens(params.bunniLens); } // Check for invalid bunniToken_ if (bunniToken_ == address(0)) { revert BunniPrice_Params_InvalidBunniToken(bunniToken_); } } // Validate the token BunniToken token = BunniToken(bunniToken_); BunniLens lens = BunniLens(params.bunniLens); { address tokenHub; try token.hub() returns (IBunniHub tokenHub_) { tokenHub = address(tokenHub_); } catch (bytes memory) { revert BunniPrice_Params_InvalidBunniToken(bunniToken_); } // Validate the lens address lensHub; try lens.hub() returns (IBunniHub lensHub_) { lensHub = address(lensHub_); } catch (bytes memory) { revert BunniPrice_Params_InvalidBunniLens(params.bunniLens); } // Check that the hub matches if (tokenHub != lensHub) { revert BunniPrice_Params_HubMismatch(tokenHub, lensHub); } } // Validate reserves _validateReserves( _getBunniKey(token), lens, params.twapMaxDeviationsBps, params.twapObservationWindow ); // Fetch the reserves >>> uint256 totalValue = _getTotalValue(token, lens, outputDecimals_); // @audit - this is total value not price. // @audit - need to add price calculation code return totalValue; }
Returned price is much bigger than reality. Can potentially lead to fund loss.
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BunniPrice.sol#L163-L165
Manual Review
Consider add the following steps:
Divide total value by total supply.
function getBunniTokenPrice( address bunniToken_, uint8 outputDecimals_, bytes calldata params_ ) external view returns (uint256) { // Decode the parameters BunniParams memory params; { params = abi.decode(params_, (BunniParams)); if (params.bunniLens == address(0)) { revert BunniPrice_Params_InvalidBunniLens(params.bunniLens); } // Check for invalid bunniToken_ if (bunniToken_ == address(0)) { revert BunniPrice_Params_InvalidBunniToken(bunniToken_); } } // Validate the token BunniToken token = BunniToken(bunniToken_); BunniLens lens = BunniLens(params.bunniLens); { address tokenHub; try token.hub() returns (IBunniHub tokenHub_) { tokenHub = address(tokenHub_); } catch (bytes memory) { revert BunniPrice_Params_InvalidBunniToken(bunniToken_); } // Validate the lens address lensHub; try lens.hub() returns (IBunniHub lensHub_) { lensHub = address(lensHub_); } catch (bytes memory) { revert BunniPrice_Params_InvalidBunniLens(params.bunniLens); } // Check that the hub matches if (tokenHub != lensHub) { revert BunniPrice_Params_HubMismatch(tokenHub, lensHub); } } // Validate reserves _validateReserves( _getBunniKey(token), lens, params.twapMaxDeviationsBps, params.twapObservationWindow ); // Fetch the reserves uint256 totalValue = _getTotalValue(token, lens, outputDecimals_); uint256 price = totalValue/token.totalSupply(); return price; }
Duplicate of #198
tvdung94
high
BunniPrice::getBunniTokenPrice() returns incorrect price
Summary
BunniPrice::getBunniTokenPrice() returns incorrect price
Vulnerability Detail
BunniPrice::getBunniTokenPrice() incorrectly returns the whole value of bunni token instead of price.
Impact
Returned price is much bigger than reality. Can potentially lead to fund loss.
Code Snippet
https://github.com/sherlock-audit/2023-11-olympus/blob/main/bophades/src/modules/PRICE/submodules/feeds/BunniPrice.sol#L163-L165
Tool used
Manual Review
Recommendation
Consider add the following steps:
Divide total value by total supply.
Duplicate of #198