PegOracle
incorrectly processes decimals for ETH-pairs thereby producing incorrect prices
#352
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
decimals
duplicate
This issue or pull request already exists
oracle
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/2175c044af98509261e4147edeb48e1036773771/src/oracles/PegOracle.sol#L67-L82
Vulnerability details
Impact
PegOracle
combines two different Chainlink oracles, thereby allowing the protocol to directly compare prices of two different tokens. Chainlink has two main types of oracles, X/USD pairs and X/ETH pairs. The former uses 8 decimals, while the latter uses 18 decimals.PegOracle
correctly handles X/USD pairs however incorrectly handles X/ETH pairs and therefore would incorrectly report any price which is derived from ETH pairs.This will cause ETH pairs to produce prices which are too low and therefore vaults will automatically be registered as depegged even if the underlying assets have not depegged allowing hedge users to unfairly profit.
Proof of Concept
PegOracle
based on ETH-pairs where decimals is initialised to be 18latestRoundData()
is called,nowPrice
is calculated and has 4 decimals due toprice2
andprice1
cancelling each other's decimalspriceFeed1.decimals()
has 18 decimals, decimals10 becomes 1nowPrice
stays at 4 decimals and when it is returned it now has -2 decimals even thoughPegOracle.decimals() = 18
price
rounds down to 0 which is incorrectThe current formula for the number of decimals of the returned
price
is16 - x
wherex = priceFeed1.decimals()
. Therefore, for8
decimals (USD pairs)PegOracle
is correct.Tools Used
VS Code
Recommended Mitigation Steps
Rewrite
latestRoundData()
to:The text was updated successfully, but these errors were encountered: