search

zlsecure3 / review_Aark

0 stars 0 forks source link

should assert `vars.defaultOraclePrice` is not negative in `PriceOracle::_getPriceFeed(uint256 assetId)` function #6

Open zlsecure3 opened 1 year ago

zlsecure3 commented 1 year ago

subject

should assert vars.defaultOraclePrice is not negative in PriceOracle::_getPriceFeed(uint256 assetId) function

description

It's possible that latestRoundData() returns a negative price when things go wrong, as its type is int instead of uint.Should assert the returned price is not negative to be safe, otherwise when a negative integer is returned, uint256(vars.defaultOraclePrice) will be extremely big.

recommendation

Add an assertion that vars.defaultOraclePrice is not negative after L159 .

locations

severity

Low

damage

exploitability

category

Integer Overflow and Underflow

system_generated: auditor:alansh submission_id:1756996825

zlsecure3 commented 1 year ago

grading (edit)

submission_id:1756996825

review_type:GRADING

result: TBD-yes,no

rating: TBD-123

comment: TBD-Rejected,Accepted by Secure3.

severity: TBD-Critical,Medium,Low,Informational

category:

description:

zlsecure3 commented 1 year ago

client feedback (manual copy)

submission_id:1756996825

review_type:CLIENT_FEEDBACK

result: TBD-yes,no

severity: TBD-Critical,Medium,Low,Informational

comment:

zlsecure3 commented 1 year ago

client feedback decision(edit)

submission_id:1756996825

review_type:CLIENT_FEEDBACK_DECISION

result: TBD-yes,no,yes-honored,no-honored

severity: TBD-Critical,Medium,Low,Informational

comment: