Platform: Code4rena
Start Date: 28/04/2022
Pot Size: $50,000 USDC
Total HM: 7
Participants: 43
Period: 5 days
Judge: gzeon
Total Solo HM: 2
Id: 115
League: ETH
Rank: 11/43
Findings: 1
Award: $1,119.44
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0x1f8b
Also found by: broccolirob, pauliax
1119.4434 USDC - $1,119.44
https://github.com/code-423n4/2022-04-mimo/blob/main/core/contracts/oracles/BalancerV2LPOracle.sol#L126-L129 https://github.com/code-423n4/2022-04-mimo/blob/main/core/contracts/oracles/GUniLPOracle.sol#L45-L51
The GUniLPOracle.constructor and BalancerV2LPOracle._getNormalizedBalance both assume an asset will never have more than 18 decimals. However, there is no enforced limit for decimals on ERC20 tokens or Chainlink price feed assets. For example, the “Synthetix Aggregator Debt Ratio” feed returns 27 decimals, and the “YAMv2” token has 24 decimals. Adding tokens with more than 18 decimals will cause an underflow that wraps to ~255 which will dramatically overstate the balance of such tokens and feeds.
A token similar to YAMv2 is added to Chainlink and a Mimo BalancerV2LPOracle is created for it.
Now calls to getAssetPrice() are now broken and dramatically overstating or understating an asset's price relative to EUR.
Manual analysis.
Trigger a revert if decimals are greater than 18.
#0 - m19
2022-05-05T08:52:01Z
We confirm this issue but we don't think it's high risk, it's medium risk. Also a duplicate of #55