Skip to content

Latest commit

 

History

History
64 lines (45 loc) · 1.81 KB

080.md

File metadata and controls

64 lines (45 loc) · 1.81 KB

peanuts

high

DAIEthOracle in StableOracleDAI.sol uses wETH-wBGL UniswapV3 pool instead of the wETH-DAI pool

Summary

DAIEthOracle uses the contract address of the wETH-wBGL UniswapV3 pool.

Vulnerability Detail

The DAIEthOracle contract address, 0x982152A6C7f732Ec7C9EA998dDD9Ebde00Dfa16e, points to the wETH-wBGL pool, which does not matter to DAI-WETH.

https://etherscan.io/address/0x982152a6c7f732ec7c9ea998ddd9ebde00dfa16e#readContract

contract StableOracleDAI is IStableOracle {
    AggregatorV3Interface priceFeedDAIETH;
    IStaticOracle DAIEthOracle;
    IStableOracle ethOracle;

    constructor() {
        priceFeedDAIETH = AggregatorV3Interface(
            0x773616E4d11A78F511299002da57A0a94577F1f4
        );
///@audit - here
        DAIEthOracle = IStaticOracle(
            0x982152A6C7f732Ec7C9EA998dDD9Ebde00Dfa16e
        );
        uint256 DAIWethPrice = DAIEthOracle.quoteSpecificPoolsWithTimePeriod(
            1000000000000000000, // 1 Eth
            0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2, // WETH (base token)
            0x6B175474E89094C44Da98b954EedeAC495271d0F, // DAI (quote token)
            pools, // DAI/WETH pool uni v3
            600 // period
        );

Impact

DAIEthOracle will point to the wETH-wBGL pool instead of the wETH-DAI pool, resulting in wrong pricing.

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L27-L29

Tool used

Manual Review

Recommendation

Use the DAI-WETH pool instead, like how it is done in StableOracleWBGL.sol where both pools and staticOracle uses the same address.

        DAIEthOracle = IStaticOracle(
-           0x982152A6C7f732Ec7C9EA998dDD9Ebde00Dfa16e
+           0x60594a405d53811d3BC4766596EFD80fd545A270
        );