Wrong calculation of nowPrice
in PegOracle.latestRoundData
.
#399
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/oracles/PegOracle.sol#L78
Vulnerability details
Impact
Wrong calculation of
nowPrice
inPegOracle.latestRoundData
.PegOracle.latestRoundData
always returnsnowPrice = 0
for normal 18 decimals tokens.Proof of Concept
From the below formula, we can see
nowPrice <= 10000
.After that, it's divided by
1e6
here and it will be 0 for normal 18 decimals tokens.Tools Used
Manual Review
Recommended Mitigation Steps
We should change
nowPrice / 1000000
tonowPrice / 10000
.The text was updated successfully, but these errors were encountered: