Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PegOracle does not work with oracles that have 18 decimals #214

Closed
code423n4 opened this issue Sep 18, 2022 · 1 comment
Closed

PegOracle does not work with oracles that have 18 decimals #214

code423n4 opened this issue Sep 18, 2022 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-09-y2k-finance/blob/bca5080635370424a9fe21fe1aded98345d1f723/src/oracles/PegOracle.sol#L78

Vulnerability details

Impact

When priceFeed1.decimals() == 8 (USD pairs), PegOracle correctly scales the price to 8 decimals. However, when the decimals of both feeds have 18 decimals (ETH pairs), the scaling is not performed correctly, causing prices to be 0, causing Controller.getLatestPrice to always revert.

Proof Of Concept

Let's say a vault for AAVE/BTC should be deployed. There is no such Chainlink feed, but there is a feed for AAVE/ETH (https://etherscan.io/address/0x6df09e975c830ecae5bd4ed9d90f3a95a4f88012) and BTC/ETH (https://etherscan.io/address/0xdeb288f737066589598e9214e782fa5a8ed689e8). As one can see on the etherscan pages, these both returns prices with 18 decimals (as every */ETH pair does).

If such a configuraiton is used, nowPrice will be scaled by 0 decimals (as decimals10 = 10 ** 0 = 1), meaning it will have 4 decimals. latestRoundData() returns then nowPrice / 1000000, which scales the price to -2 decimals, meaning it will be 0 in most cases and cause Controller.getLatestPrice to revert.

Recommended Mitigation Steps

Because nowPrice has always 4 decimals in line 73 (note that we divide the prices, which have the same amount of decimals and multiply this by 10^4 in the lines above), it should be multiplied by 10**4, no matter how many decimals the price feed has.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 18, 2022
code423n4 added a commit that referenced this issue Sep 18, 2022
@code423n4
Lambda issue #214
ed0a346
@MiguelBits MiguelBits added duplicate This issue or pull request already exists sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons and removed duplicate This issue or pull request already exists labels Sep 30, 2022
@HickupHH3
Copy link
Collaborator

dup #195

@HickupHH3 HickupHH3 added 3 (High Risk) Assets can be stolen/lost/compromised directly satisfactory satisfies C4 submission criteria; eligible for awards duplicate This issue or pull request already exists and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate This issue or pull request already exists satisfactory satisfies C4 submission criteria; eligible for awards sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MiguelBits @code423n4 @HickupHH3