Badger eBTC Audit + Certora Formal Verification Competition - OMEN's results

Lines of code

https://github.com/code-423n4/2023-10-badger/blob/f2f2e2cf9965a1020661d179af46cb49e993cb7e/packages/contracts/contracts/PriceFeed.sol#L445-L463

Vulnerability details

Impact

wrong calculation in chainlinkPriceChangeMax leads to be unfair

Proof of Concept

            function _chainlinkPriceChangeAboveMax(
    ChainlinkResponse memory _currentResponse,
    ChainlinkResponse memory _prevResponse
) internal pure returns (bool) {
    uint256 minPrice = EbtcMath._min(_currentResponse.answer, _prevResponse.answer);
    uint256 maxPrice = EbtcMath._max(_currentResponse.answer, _prevResponse.answer);

    /*
     * Use the larger price as the denominator:
     * - If price decreased, the percentage deviation is in relation to the the previous price.
     * - If price increased, the percentage deviation is in relation to the current price.
     */
    uint256 percentDeviation = maxPrice > 0
        ? ((maxPrice - minPrice) * EbtcMath.DECIMAL_PRECISION) / maxPrice
        : 0;

    // Return true if price has more than doubled, or more than halved.
    return percentDeviation > MAX_PRICE_DEVIATION_FROM_PREVIOUS_ROUND;
}

calculation will be unfair when price is increased , max price is used in denominator SO percentage will be less than percentage of that when it's decreased . let's say current price is 5000 and prev price is 4000 , percentage will be 1000/5000 = 20 % , when price is dropped 1000 instead of increase , calculation will be 1000/4000= 25%

Tools Used

manual view

Recommended Mitigation Steps

user previous price instead of max price

Assessed type

Math