PegOracle does not work with oracles that have 18 decimals #214
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
satisfactory
satisfies C4 submission criteria; eligible for awards
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/oracles/PegOracle.sol#L78
Vulnerability details
Impact
When
priceFeed1.decimals() == 8
(USD pairs),PegOracle
correctly scales the price to 8 decimals. However, when the decimals of both feeds have 18 decimals (ETH pairs), the scaling is not performed correctly, causing prices to be 0, causingController.getLatestPrice
to always revert.Proof Of Concept
Let's say a vault for AAVE/BTC should be deployed. There is no such Chainlink feed, but there is a feed for AAVE/ETH (https://etherscan.io/address/0x6df09e975c830ecae5bd4ed9d90f3a95a4f88012) and BTC/ETH (https://etherscan.io/address/0xdeb288f737066589598e9214e782fa5a8ed689e8). As one can see on the etherscan pages, these both returns prices with 18 decimals (as every */ETH pair does).
If such a configuraiton is used,
nowPrice
will be scaled by 0 decimals (asdecimals10 = 10 ** 0 = 1
), meaning it will have 4 decimals.latestRoundData()
returns thennowPrice / 1000000
, which scales the price to -2 decimals, meaning it will be 0 in most cases and causeController.getLatestPrice
to revert.Recommended Mitigation Steps
Because
nowPrice
has always 4 decimals in line 73 (note that we divide the prices, which have the same amount of decimals and multiply this by 10^4 in the lines above), it should be multiplied by 10**4, no matter how many decimals the price feed has.The text was updated successfully, but these errors were encountered: