search

sherlock-audit / 2024-08-sentiment-v2-judging

3 stars 2 forks source link

eeshenggoh - Not all Chainlink non-ETH pairs are 8 decimals #4

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

eeshenggoh

Medium

Not all Chainlink non-ETH pairs are 8 decimals

Summary

The ChainlinkUsdOracle.sol is used to calculate asset price and returning it in ETH value. From the README.md:

If you are integrating tokens, are you allowing only whitelisted tokens to work with the codebase or any complying with the standard? Are they assumed to have certain properties, e.g. be non-reentrant? Are there any types of weird tokens you want to integrate? Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Protocol governance will ensure that oracles are only set for standard ERC-20 tokens (plus USDC/USDT)

The problem lies in setting the Chainlink Pricefeed.

Vulnerability Detail

In README.md, it states that Tokens are whitelisted, only tokens with valid oracles can be used to create Base Pools. Some tokens's price feed has not 8 decimals. For example AMPL / USD feed

    /// @notice Set Chainlink ETH-denominated feed for an asset
    /// @param asset Address of asset to be priced
    /// @param feed Address of the asset/eth chainlink feed
    /// @param stalePriceThreshold prices older than this duration are considered invalid, denominated in seconds
    /// @dev stalePriceThreshold must be equal or greater to the feed's heartbeat
    function setFeed(address asset, address feed, uint256 stalePriceThreshold) external onlyOwner {
        assert(IAggegregatorV3(feed).decimals() == 8); //@audit
        priceFeedFor[asset] = feed;
        stalePriceThresholdFor[feed] = stalePriceThreshold;
        emit FeedSet(asset, feed);
    }

Impact

The protocol is not able to set pricefeed for non-ETH pair.

Code Snippet

https://github.com/sherlock-audit/2024-08-sentiment-v2/blob/25a0c8aeaddec273c5318540059165696591ecfb/protocol-v2/src/oracle/ChainlinkUsdOracle.sol#L89C1-L99C6

Tool used

Manual Review

Recommendation

    /// @notice Set Chainlink ETH-denominated feed for an asset
    /// @param asset Address of asset to be priced
    /// @param feed Address of the asset/eth chainlink feed
    /// @param stalePriceThreshold prices older than this duration are considered invalid, denominated in seconds
    /// @dev stalePriceThreshold must be equal or greater to the feed's heartbeat
    function setFeed(address asset, address feed, uint256 stalePriceThreshold) external onlyOwner {
-        assert(IAggegregatorV3(feed).decimals() == 8);
        priceFeedFor[asset] = feed;
        stalePriceThresholdFor[feed] = stalePriceThreshold;
        emit FeedSet(asset, feed);
    }
sherlock-admin4 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; Design decision, only tokens with valid oracles can be used to create Base Pools.