Platform: Code4rena
Start Date: 25/10/2022
Pot Size: $50,000 USDC
Total HM: 18
Participants: 127
Period: 5 days
Judge: 0xean
Total Solo HM: 9
Id: 175
League: ETH
Rank: 91/127
Findings: 2
Award: $24.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 8olidity, BClabs, CertoraInc, Chom, Franfran, Lambda, RaoulSchaffranek, Ruhum, codexploder, cryptphi, eierina, joestakey, kaden, neumo, pashov, rvierdiiev, sorrynotsorry
24.2165 USDC - $24.22
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L119-L121
The line 122 in the Oracle.sol contract purpose is to normalize the price of the feed to 18 decimals in order to return the price of the underlying token in DOLA. The issue is that the decimals calculation is done wrong, leading to incorrect calculations and for most of the time (when the underlying decimals are less than 18) an hyper-inflated price of the token in DOLA.
Let's take the BTC/USD price feed contract. We can see that the feed decimals is 8, and the BTC decimals is 8 as well. By doing a quick calculation, the decimals will be
uint8 decimals = 36 - feedDecimals (8) - feedDecimals (8); └── (decimals = 20)
So at a today price of BTC at about 21k$, the normalized price would be
uint normalizedPrice = price * (10 ** decimals); | | â”” (20) | â”” (21,000 * 1e8) â”” (21,000 * 1e28)
While the "fair" price should be 21,000 * 1e18 (DOLA).
This would of course lead to disastrous consequence because every lender loan in BTC would be scaled by 1e10.
CLion
// Oracle.sol L.121 - | uint8 decimals = 36 - feedDecimals - tokenDecimals; + | uint8 decimals = 18 - feedDecimals;
Thanks to this, tokenDecimals is now useless and there is no need for a FeedData struct.
#0 - c4-judge
2022-11-05T00:13:56Z
0xean marked the issue as duplicate
#1 - 0xean
2022-11-28T15:52:29Z
#2 - c4-judge
2022-11-28T15:52:34Z
0xean marked the issue as unsatisfactory: Invalid
#3 - c4-judge
2022-12-06T00:03:42Z
0xean changed the severity to 2 (Med Risk)
#4 - c4-judge
2022-12-07T08:18:20Z
Simon-Busch marked the issue as duplicate of #533
🌟 Selected for report: rbserver
Also found by: 0x1f8b, 0xNazgul, 0xc0ffEE, 8olidity, Aymen0909, Chom, Franfran, Jeiwan, Jujic, Lambda, M4TZ1P, Olivierdem, Rolezn, Ruhum, TomJ, Wawrdog, __141345__, bin2chen, c7e7eff, carlitox477, catchup, cccz, codexploder, cuteboiz, d3e4, dipp, djxploit, eierina, elprofesor, hansfriese, horsefacts, idkwhatimdoing, imare, immeas, joestakey, ladboy233, leosathya, martin, minhtrng, pashov, peanuts, pedroais, rokinot, rvierdiiev, saneryee, sorrynotsorry, tonisives
0.385 USDC - $0.38
https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L6 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L82 https://github.com/code-423n4/2022-10-inverse/blob/main/src/Oracle.sol#L82
Chainlink latestAnswer() should never be used as it is not a reliable source of data.
From one of the deployed oracles at: 0x72AFAECF99C9d9C8215fF44C77B94B99C28741e8 on etherscan
overridden function to add the checkAccess() modifier "deprecated". Use latestRoundData instead. This does not error if no answer has been reached, it will simply return 0. Either wait to point to an already answered Aggregator or use the recommended latestRoundData instead which includes better verification information.
It is also explained in the Chainlink docs that the latestAnswer() function is deprecated.
Even if it is checked that the price is not null, an invalid price could be returned by the aggregators during an unfinished round.
As explained, we should use latestRoundData and take care of the return parameters.
Chainlink docs
CLion
- uint price = feeds[token].feed.latestAnswer(); + (uint80 roundId, int256 price, uint256 timestamp, uint80 ansRoundId) = feeds[token].feed.latestRoundData(); + require(price > 0, "Invalid feed price"); + require(ansRoundId >= roundID, "Stale feed price"); + require(timestamp != 0, "Incomplete feed round");
#0 - neumoxx
2022-10-31T08:48:38Z
Probably over-inflated severity Duplicate of #601
#1 - iFrostizz
2022-10-31T09:24:07Z
Probably over-inflated severity Duplicate of #601
There is a similar finding that was a high severity one: https://code4rena.com/reports/2022-07-juicebox/#h-01-oracle-data-feed-can-be-outdated-yet-used-anyways-which-will-impact-payment-logic
#2 - neumoxx
2022-10-31T10:08:51Z
It has also been flagged as Med before: https://github.com/code-423n4/2021-06-tracer-findings/issues/145 Let's see what the Judge and the Sponsor think about it, but there are 45 duplicates of your issue and only one marked as High.
#3 - 0xean
2022-11-05T17:45:44Z
Certainly doesn't qualify as H severity. Will leave open as M for sponsor review.
#4 - c4-judge
2022-11-05T17:45:51Z
0xean marked the issue as change severity
#5 - c4-judge
2022-11-05T17:45:55Z
0xean marked the issue as primary issue
#6 - 08xmt
2022-11-15T14:25:56Z
#7 - c4-sponsor
2022-11-15T14:26:21Z
08xmt marked the issue as sponsor confirmed
#8 - c4-judge
2022-11-28T19:35:28Z
0xean marked the issue as satisfactory
#9 - c4-judge
2022-12-07T08:14:13Z
Simon-Busch marked the issue as duplicate of #584