Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 94/127
Findings: 1
Award: $24.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 8olidity, BClabs, CertoraInc, Chom, Franfran, Lambda, RaoulSchaffranek, Ruhum, codexploder, cryptphi, eierina, joestakey, kaden, neumo, pashov, rvierdiiev, sorrynotsorry
24.2165 USDC - $24.22
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L78
Decimals limitation limits the collateral asset that can be used
The problem is in the viewPrice function in Oracle.sol contract:
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L78.
In line 87 there's a decimals calculation that will be used to later to noramlize the token price to match 128 decimals:
uint8 decimals = 36 - feedDecimals - tokenDecimals;.
The problem occur in case when 36 - feedDecimals < tokenDecimals (which implies 36 - feedDecimals - tokenDecimals <0 and causes underflow).
So for example feedDecimals = 18 and tokenDecimals = 24 will cause an underflow, thus this collateral asset cannot be used in the system.
And that is a pretty big limitation on the system.
Manual audit.
#0 - c4-judge
2022-11-04T23:40:10Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:13:57Z
Marked satisfactory as requested by @0xean
#2 - c4-judge
2022-12-06T00:03:41Z
0xean changed the severity to 2 (Med Risk)
#3 - c4-judge
2022-12-07T08:18:20Z
Simon-Busch marked the issue as duplicate of #533