PegOracle
doesn't support decimals other than 8
#248
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/main/src/oracles/PegOracle.sol#L73-L78
Vulnerability details
Impact
PegOracle
reports wrong prices when the underlying oracle use decimals other than 8. A price reported byPegOracle
can trigger a depeg event immediately after an epoch has started.
Proof of Concept
In the above case, the underlying oracles use 14 decimals; the prices they report also use 14 decimals. It's expected
that the
PegOracle
reports 1e14, but it reports 100–this is way below any reasonable strike price. TheController
won't be able to scale the price: it will multiply
100 by 10**(18-14), which equals 100e4, not 1e14.
While most Chainlink oracles use 8 decimals, some of them use 18 (all ETH pairs, e.g. LINK/ETH).
Recommended Mitigation Steps
In the latestRoundData
function of
PegOracle
, scale the final price to match the decimals of the underlying oracles.The text was updated successfully, but these errors were encountered: