Platform: Code4rena
Start Date: 24/07/2023
Pot Size: $100,000 USDC
Total HM: 18
Participants: 73
Period: 7 days
Judge: alcueca
Total Solo HM: 8
Id: 267
League: ETH
Rank: 56/73
Findings: 1
Award: $44.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: immeas
Also found by: 0x70C9, 0xAnah, 0xArcturus, 0xComfyCat, 0xWaitress, 0xackermann, 0xkazim, 2997ms, 33audits, Arz, Aymen0909, ChrisTina, JP_Courses, John_Femi, Jorgect, Kaysoft, LosPollosHermanos, MohammedRizwan, Nyx, Rolezn, Sathish9098, Stormreckson, T1MOH, Tendency, Topmark, Udsen, Vagner, albertwh1te, ast3ros, banpaleo5, berlin-101, catellatech, cats, codetilda, cryptonue, eeshenggoh, fatherOfBlocks, hals, jamshed, jaraxxus, josephdara, kankodu, kodyvim, kutugu, lanrebayode77, mert_eren, nadin, naman1778, niki, petrichor, ravikiranweb3, said, solsaver, souilos, twcctop, wahedtalash77
44.8793 USDC - $44.88
The vulnerability in the scalePrice function is related to potential rounding errors in the division operation when scaling prices. Although the contract has overflow protection, it lacks precision protection during division, which can result in inaccurate scaled prices. This occurs because Solidity's integer division behavior truncates the fractional part of the result, leading to incorrect calculations.
Returning a zero price from the oracle could have serious impact on the protocol.
price / (10 ** uint256(priceDecimals - expectedDecimals)).toInt256(); = 100 / (10 ** uint256(18 - 2)).toInt256(); = 100 / (10 ** uint256(16)).toInt256(); = 100 / 10000000000000000; = 0;
Manual / VSC.
To mitigate this vulnerability, fixed-point arithmetic or a library like SafeMath should be used to handle division, ensuring accurate scaling without rounding errors. By using fixed-point arithmetic, fractional numbers can be represented accurately, maintaining precision during arithmetic operations.
Math
#0 - c4-pre-sort
2023-08-03T13:30:32Z
0xSorryNotSorry marked the issue as primary issue
#1 - ElliotFriedman
2023-08-03T21:11:20Z
expected decimals is always 18, so this is not an issue.
#2 - c4-sponsor
2023-08-03T21:11:26Z
ElliotFriedman marked the issue as sponsor disputed
#3 - alcueca
2023-08-12T21:47:43Z
This is a great spot to plug in this article of mine: https://hackernoon.com/getting-prices-right
price in the PoC matches the base token decimals, which are 18 like in WETH. We are aiming to get a price in the quote token, that having 2 decimals must be GUSD. This means that we need to remove 16 decimals from the price, and any price below 0.01 GUSD/WETH will be rounded down to zero.
While this is a fault of GUSD, it does mean that certain asset pairs won't work because of the difference in decimals and relative values. In that sense, this is valid QA.
#4 - c4-judge
2023-08-12T21:48:01Z
alcueca changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-08-12T21:48:05Z
alcueca marked the issue as grade-a