Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 92/127
Findings: 2
Award: $24.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 8olidity, BClabs, CertoraInc, Chom, Franfran, Lambda, RaoulSchaffranek, Ruhum, codexploder, cryptphi, eierina, joestakey, kaden, neumo, pashov, rvierdiiev, sorrynotsorry
24.2165 USDC - $24.22
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L87-L88 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L121-L122
Oracle doesn't work with a token that has decimals > 18. It will be reverted.
uint8 decimals = 36 - feedDecimals - tokenDecimals;
If feedDecimals = 18 (ETH pair) and tokenDecimals > 18 then decimals will be minus thus revert.
Use int8 instead of uint8 and divide instead of multiply in the normalized price line
int8 decimals = 36 - feedDecimals - tokenDecimals; if (decimals >= 0) { uint normalizedPrice = price * (10 ** decimals); } else { uint normalizedPrice = price / (10 ** (-decimals)); }
#0 - c4-judge
2022-11-05T22:25:18Z
0xean marked the issue as duplicate
#1 - c4-judge
2022-11-28T16:03:46Z
0xean marked the issue as not a duplicate
#2 - c4-judge
2022-11-28T16:03:55Z
0xean marked the issue as duplicate of #540
#3 - Simon-Busch
2022-12-05T15:33:46Z
Issue marked as satisfactory as requested by 0xean
#4 - c4-judge
2022-12-07T08:18:20Z
Simon-Busch marked the issue as duplicate of #533
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives
0.385 USDC - $0.38
https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L81-L83 https://github.com/code-423n4/2022-10-inverse/blob/3e81f0f5908ea99b36e6ab72f13488bbfe622183/src/Oracle.sol#L115-L117
Chainlink may return a stale price. The stale price will affect borrowing and liquidation. Attackers can gain profit from the price difference similar to the LUNA case. Some previous C4 contest rate this as high.
// get price from feed uint price = feeds[token].feed.latestAnswer(); require(price > 0, "Invalid feed price");
It uses chainlink latestAnswer which never checks for stale price. You need to check the price, round ID, and timestamp to prevent the stale price. But you only check the price.
Perform the required stale price check as follows
(uint80 baseRoundID, int256 price, /* */, uint256 bpUpdatedAt, uint80 baseAnsweredInRound) = feeds[token].feed.latestRoundData(); require(baseAnsweredInRound >= baseRoundID, "Stale price"); require(block.timestamp - bpUpdatedAt <= maxOracleFreshnessInSeconds); require(price > 0); /// @dev: Chainlink Rate Error
#0 - c4-judge
2022-11-05T18:48:45Z
0xean marked the issue as duplicate
#1 - Simon-Busch
2022-12-05T15:15:29Z
Marked satisfactory as requested by @0xean
#2 - c4-judge
2022-12-06T00:02:40Z
0xean changed the severity to 2 (Med Risk)
#3 - c4-judge
2022-12-07T08:14:13Z
Simon-Busch marked the issue as duplicate of #584