Platform: Code4rena
Start Date: 01/08/2023
Pot Size: $91,500 USDC
Total HM: 14
Participants: 80
Period: 6 days
Judge: gzeon
Total Solo HM: 6
Id: 269
League: ETH
Rank: 22/80
Findings: 1
Award: $482.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: said
Also found by: 0xmuxyz, LokiThe5th, Satyam_Sharma, T1MOH, Team_FliBit, radev_sw
482.4792 USDC - $482.48
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L374
poolMatchesOracle() is used in many function under GeVault to get the price directly from Uniswap v3 pool:
/// @notice Checks that the pool price isn't manipulated function poolMatchesOracle() public view returns (bool matches){ (uint160 sqrtPriceX96,,,,,,) = uniswapPool.slot0(); uint decimals0 = token0.decimals(); uint decimals1 = token1.decimals(); uint priceX8 = 10**decimals0; // Overflow if dont scale down the sqrtPrice before div 2*192 priceX8 = priceX8 * uint(sqrtPriceX96 / 2 ** 12) ** 2 * 1e8 / 2**168; priceX8 = priceX8 / 10**decimals1; } https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L366C2-L378C4
The issue is that calculation of priceX8 is likely to overflow. sqrtPriceX96 has 96 bits for decimals, 10**decimals1 will have 60 bits when decimals is 18, therefore there can be very small bits for non-decimal part of sqrtPriceX96.
Recommended Mitigation: Consider converting the sqrtPrice to a 60x18 format and performing arithmetic operations using the PRBMathUD60x18 library.
Decimal
#0 - c4-pre-sort
2023-08-09T16:35:41Z
141345 marked the issue as duplicate of #140
#1 - c4-judge
2023-08-20T17:32:22Z
gzeon-c4 changed the severity to 3 (High Risk)
#2 - c4-judge
2023-08-20T17:32:26Z
gzeon-c4 marked the issue as satisfactory