Platform: Code4rena
Start Date: 18/10/2023
Pot Size: $36,500 USDC
Total HM: 17
Participants: 77
Period: 7 days
Judge: MiloTruck
Total Solo HM: 5
Id: 297
League: ETH
Rank: 57/77
Findings: 1
Award: $33.90
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: 0xmystery
Also found by: 0x6d6164616e, 0xWaitress, 0xsurena, Tendency, ZanyBonzy, cryptothemex, hals, lsaudit, ni8mare, niki, phoenixV110, spark, tnquanghuy0512, twcctop
33.8956 USDC - $33.90
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L58 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L103-L105 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L64 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L110-L112
The current design of the CamelotRelayer and UniV3Relayer contracts limits its compatibility to only those _quoteTokens that have a decimal count of 18 or fewer. If an attempt is made to deploy the contract with a token having more than 18 decimals as the _quoteToken, the contract deployment will fail due to an underflow issue during the multiplier calculation. This poses no financial risk but restricts the contract's adaptability in the wider DeFi ecosystem, preventing its use with tokens that have more than 18 decimals.
The restriction emerges from the constructor, where the multiplier is deduced as 18 - IERC20Metadata(_quoteToken).decimals().
https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/CamelotRelayer.sol#L58 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/oracles/UniV3Relayer.sol#L64
multiplier = 18 - IERC20Metadata(_quoteToken).decimals();
For tokens like YAMv2, which possess 24 decimals, the computation would attempt 18 - 24, which results in an underflow, making the contract deployment unsuccessful.
Manual
Alter the datatype of multiplier to int256 to account for both positive and negative values.
Adjust the multiplier's computation in the constructor to handle situations where token decimals might be greater or less than 18.
int8 decimalsDifference = 18 - int8(IERC20Metadata(_quoteToken).decimals()); multiplier = int256(decimalsDifference);
_parseResult function to either multiply or divide the _quoteResult depending on the multiplier value.function _parseResult(uint256 _quoteResult) internal view returns (uint256 _result) { if (multiplier > 0) { return _quoteResult * (10 ** uint256(multiplier)); } else if (multiplier < 0) { return _quoteResult / (10 ** uint256(-multiplier)); } else { return _quoteResult; } }
Note: It will require additional code refactoring to make baseAmount and its value assignment as int256 as well.
Under/Overflow
#0 - c4-pre-sort
2023-10-26T17:42:31Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-10-26T17:42:41Z
raymondfam marked the issue as duplicate of #18
#2 - c4-pre-sort
2023-10-27T05:06:53Z
raymondfam marked the issue as not a duplicate
#3 - c4-pre-sort
2023-10-27T05:07:05Z
raymondfam marked the issue as primary issue
#4 - c4-pre-sort
2023-10-27T05:07:12Z
raymondfam marked the issue as high quality report
#5 - c4-sponsor
2023-10-31T18:59:51Z
pi0neerpat (sponsor) confirmed
#6 - c4-judge
2023-11-02T06:04:53Z
MiloTruck marked the issue as selected for report
#7 - MiloTruck
2023-11-02T06:06:10Z
The warden has demonstrated how CamelotRelayer.sol and UniV3Relayer.sol cannot be deployed for tokens with more than 18 decimals, which limits the functionality of the protocol unnecessarily. As such, medium severity is appropriate.
#8 - c4-judge
2023-11-02T08:45:34Z
MiloTruck marked the issue as satisfactory