Open Dollar - 0xWaitress's results

A floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults.

General Information

Platform: Code4rena

Start Date: 18/10/2023

Pot Size: $36,500 USDC

Total HM: 17

Participants: 77

Period: 7 days

Judge: MiloTruck

Total Solo HM: 5

Id: 297

League: ETH

Open Dollar

Findings Distribution

Researcher Performance

Rank: 62/77

Findings: 1

Award: $26.07

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Open Dollar

Findings Information

🌟 Selected for report: 0xmystery

Also found by: 0x6d6164616e, 0xWaitress, 0xsurena, Tendency, ZanyBonzy, cryptothemex, hals, lsaudit, ni8mare, niki, phoenixV110, spark, tnquanghuy0512, twcctop

Labels

bug

2 (Med Risk)

satisfactory

sufficient quality report

duplicate-323

Awards

26.0735 USDC - $26.07

External Links

Link to GitHub issue

Lines of code

https://github.com/open-dollar/od-contracts/blob/dev/src/contracts/oracles/CamelotRelayer.sol#L58

Vulnerability details

Impact

Camelot Relayer does not work with pairs with a quoteToken of decimal > 18

On Camelot Relayer, its constructor uses a variable multiplier which store the decimal multiplier to uniform result of quote tokens over base token ratio to 1e18.

  constructor(address _baseToken, address _quoteToken, uint32 _quotePeriod) {
    // camelotPair = ICamelotFactory(_CAMELOT_FACTORY).getPair(_baseToken, _quoteToken);
    camelotPair = IAlgebraFactory(_CAMELOT_FACTORY).poolByPair(_baseToken, _quoteToken);
    if (camelotPair == address(0)) revert CamelotRelayer_InvalidPool();

    address _token0 = ICamelotPair(camelotPair).token0();
    address _token1 = ICamelotPair(camelotPair).token1();

    // The factory validates that both token0 and token1 are desired baseToken and quoteTokens
    if (_token0 == _baseToken) {
      baseToken = _token0;
      quoteToken = _token1;
    } else {
      baseToken = _token1;
      quoteToken = _token0;
    }

    baseAmount = uint128(10 ** IERC20Metadata(_baseToken).decimals());
    multiplier = 18 - IERC20Metadata(_quoteToken).decimals();

Impact: if the dicimal of quoteToken is more than 18 the constructor would simply revert.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Tools Used

Recommended Mitigation Steps

Consider handling tokens with decimal more than 18 for example using ray maths.

Assessed type

Math

#0 - c4-pre-sort
2023-10-25T22:21:06Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort
2023-10-25T22:21:10Z

raymondfam marked the issue as primary issue

#2 - raymondfam
2023-10-25T22:22:44Z

The same shall apply to UniV3Relayer.sol too.

#3 - c4-pre-sort
2023-10-27T05:08:09Z

raymondfam marked the issue as duplicate of #323

#4 - c4-judge
2023-11-02T08:45:42Z

MiloTruck marked the issue as satisfactory

Open Dollar - 0xWaitress's results

A floating $1.00 pegged stablecoin backed by Liquid Staking Tokens with NFT controlled vaults.

General Information

Findings Distribution

Researcher Performance

External Links

[M-05] Camelot Relayer does not work with pairs with a quoteToken of decimal > 18 - $26.07

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-10-25T22:21:06Z

#1 - c4-pre-sort2023-10-25T22:21:10Z

#2 - raymondfam2023-10-25T22:22:44Z

#3 - c4-pre-sort2023-10-27T05:08:09Z

#4 - c4-judge2023-11-02T08:45:42Z

#0 - c4-pre-sort
2023-10-25T22:21:06Z

#1 - c4-pre-sort
2023-10-25T22:21:10Z

#2 - raymondfam
2023-10-25T22:22:44Z

#3 - c4-pre-sort
2023-10-27T05:08:09Z

#4 - c4-judge
2023-11-02T08:45:42Z