-
Notifications
You must be signed in to change notification settings - Fork 7
0xRobocop - getPriceUSD() function at the StableOracleDAI.sol returns an incorrect value #315
Comments
Escalate for 10 USDC This is not a duplicate of #236 #236 Talks about an incorrect assumption in the decimals returned by the chainlink oracle, which is only one part of the problem. And this can be seen in the mitigation recommended by the Watson to remove My issue identified another incorrect assumption which is not the decimals returned, but which price is returned, the contract expects to consume the price to be how much DAI, 1 ETH is worth (DAI / ETH). But the chainlink feed actually returns how much ETH, 1 DAI is worth (ETH / DAI). This can be confirmed putting the address used in the contract which is 0x773616E4d11A78F511299002da57A0a94577F1f4 in Etherscan and calling latestRoundData().
The incorrect assumption can also be seen in the above formula, it adds |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Duplicate of #102 |
Result: |
Escalations have been resolved successfully! Escalation status:
|
0xRobocop
high
getPriceUSD() function at the StableOracleDAI.sol returns an incorrect value
Summary
See Vulnerability Detail
Vulnerability Detail
The function
getPriceUSD()
at theStableOracleDAI.sol
contract is supposed to return how much USD, 1 DAI is worth, this is computed with the following formula:Which seems correct, but a wrong assumption on the value of
price
makes it incorrect. Lets analyze it.wethPriceUSD
is computed as:uint256 wethPriceUSD = ethOracle.getPriceUSD();
which quoting the interface it should return how much USD, 1 ETH is worth with 18 decimals.DAIWethPrice
is computed as:Again, quoting the interface,
quoteSpecificPoolsWithTimePeriod
returns:Amount of quoteToken received for baseAmount of baseToken
.In this case
quoteToken
is DAI, so it returns how much DAI, 1 ETH is worth with 18 decimals.And lastly
price
is computed as:The error is here, the developer assumes that this price returned by chainlink corresponds to how much DAI, 1 ETH is worth with 8 decimals.
In reality the value returned is the opposite, it returns how much ETH, 1 DAI is worth and it has 18 decimals. This can be confirmed putting the address used in the contract which is
0x773616E4d11A78F511299002da57A0a94577F1f4
in Etherscan and callingdecimals()
andlatestRoundData()
.Impact
In this case the price of DAI in USD will be under estimated causing a loss for the user who mints USSD using DAI as collateral.
Code Snippet
https://github.com/sherlock-audit/2023-05-USSD/blob/6d7a9fdfb1f1ed838632c25b6e1b01748d0bafda/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L50-L52
Tool used
Manual Review
Recommendation
Inverse the value returned by chainlink, and remember that it has 18 decimals.
Or better use the chainlink price feed for DAI / USD which is
0xAed0c38402a5d19df6E4c03F4E2DceD6e29c1ee9
Duplicate of #102
The text was updated successfully, but these errors were encountered: