PegOracle.sol always returns 0 for assets with 18 decimals #46
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-09-y2k-finance/blob/ac3e86f07bc2f1f51148d2265cc897e8b494adf7/src/oracles/PegOracle.sol#L46-L83
Vulnerability details
Impact
PegOracle.sol always returns 0 for assets with 18 decimals due to precision loss, which is a majority of all chainlink oracles
Proof of Concept
nowPrice is set to the ratio between prices scaled to 4 decimals. If the oracle return 18 decimals (as a vast majority of chainlink oracles do) then the price will not be scaled at all. When the ratio is returned, it is divided by 1,000,000. Since the ratio is only scaled to 4 decimals and is being divided 7 decimals the division will always return 0 due to precision loss. Additionally in the contest description it states that it should return as 18 decimals but in no scenario does it return the ratio to 18 decimals.
Tools Used
Recommended Mitigation Steps
PegOracle.sol#latestRoundData price calculations should be rewritten as follows:
The text was updated successfully, but these errors were encountered: