Open Dollar - ni8mare's results

Judge has assessed an item in Issue #430 as 2 risk. The relevant finding follows:

It’s not clear which token the OD token will be paired with in order to determine the price in the uniV3Relayer contract. Then the following lines are problematic: baseAmount = uint128(10 ** IERC20Metadata(_baseToken).decimals()); multiplier = 18 - IERC20Metadata(_quoteToken).decimals(); quotePeriod = _quotePeriod; Decimals of the token can be greater than 18. Hence, the calculation for the multiplier will overflow and revert if it is greater than 18. Necessary checks to be implemented to make sure it does not happen

Lines of code

https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/oracles/UniV3Relayer.sol#L18

Vulnerability details

Impact

The address for _UNI_V3_FACTORY is set as GOERLI_CAMELOT_V3_FACTORY which in Registry.s.sol is equal to 0x4893376342d5D7b3e31d4184c08b265e5aB2A3f6. But, on Arbitrum scan this address has no transactions. It's not the correct address for the factory - https://arbiscan.io/address/0x4893376342d5D7b3e31d4184c08b265e5aB2A3f6#tokentxns. The valid address for the factory on Arbitrum is 0x1F98431c8aD98523631AE4a59f267346ea31F984. This is specified in the Uniswap documentation - https://docs.uniswap.org/contracts/v3/reference/deployments. Hence the right address must be used.

Proof of Concept

In UniV3Relayer

contract UniV3Relayer is IBaseOracle, IUniV3Relayer {
  // --- Registry ---
  address internal constant _UNI_V3_FACTORY = GOERLI_UNISWAP_V3_FACTORY;

In Registry.s.sol:

address constant GOERLI_UNISWAP_V3_FACTORY = 0x4893376342d5D7b3e31d4184c08b265e5aB2A3f6;
address constant GOERLI_CAMELOT_V2_FACTORY = 0x659fd9F4536f540bd051c2739Fc8b8e9355E5042;

Tools Used

Manual review

Recommended Mitigation Steps

It is recommended to use the right address for the factory and also to update the variable name from GOERLI_UNISWAP_V3_FACTORY to ARBITRUM_UNISWAP_V3_FACTORY.

Assessed type

Other