search

sherlock-audit / 2023-12-flatmoney-judging

11 stars 9 forks source link

Avci - Unsafe type casting of `_Price` can malfunction the whole market #274

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 8 months ago

Avci

medium

Unsafe type casting of _Price can malfunction the whole market

Summary

Unsafe type casting of _Price can malfunction the whole market

Vulnerability Detail

in contract OracleModule.sol and te line: 141 we can see function _getOnchainPrice() does an unsafe type of casting in converting the returned _price of chainlink oracle into uint256.

price = uint256(_price) * (10 ** 10); // convert Chainlink oracle decimals 8 -> 18 if the _price returned is negative which can happen then the the unsafe type casting from int256 to uint256 will result in a huge number close to 2**255 which will revert due to overflow.

Impact

oracle will revert and this issue is also possible in both oracles because both will return neg price in https://stackoverflow.com/questions/67094903/anybody-knows-why-chainlinks-pricefeed-return-price-value-with-int-type-while look at this example.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/OracleModule.sol#L141-L158

 function _getOnchainPrice() internal view returns (uint256 price, uint256 timestamp) {
        IChainlinkAggregatorV3 oracle = onchainOracle.oracleContract;
        if (address(oracle) == address(0)) revert FlatcoinErrors.ZeroAddress("oracle");

        (, int256 _price, , uint256 updatedAt, ) = oracle.latestRoundData();
        timestamp = updatedAt;
        // check Chainlink oracle price updated within `maxAge` time.
        if (block.timestamp > timestamp + onchainOracle.maxAge)
            revert FlatcoinErrors.PriceStale(FlatcoinErrors.PriceSource.OnChain);

        if (_price > 0) {
            price = uint256(_price) * (10 ** 10); // convert Chainlink oracle decimals 8 -> 18
        } else {
            // Issue with onchain oracle indicates a serious problem
            revert FlatcoinErrors.PriceInvalid(FlatcoinErrors.PriceSource.OnChain);
        }
    }

Tool used

Manual Review

Recommendation

sherlock-admin commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

nevillehuang commented 7 months ago

Invalid, if _price is negative, it will revert here