This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
Viktor_Cortess - getPriceUSD() function in StableOracleDAI contract calculates price of WETH with inverted data. #491
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Escalation Resolved
This issue's escalations have been approved/rejected
High
A valid High severity issue
Reward
A payout will be made for this issue
Comments
github-actions
bot
added
High
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
See my comment in #555 |
|
Result: |
|
Escalations have been resolved successfully! Escalation status:
|
sherlock-admin
added
the
Escalation Resolved
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Viktor_Cortess
medium
getPriceUSD() function in StableOracleDAI contract calculates price of WETH with inverted data.
Summary
One part of the formula:
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L50-L52
returns WETH/USD price, and another part USD/WETH price. As a result, it returns incorrect data.
Vulnerability Detail
I want to start from the point that this line:
uint256 wethPriceUSD = ethOracle.getPriceUSD();always reverts (as it tries to call 0x0 address), so we can't get info from a numerator from our formula.But the other problem is a denominator.
Let's check the numbers that we got forking the mainnet with console.log.
So in the denominator here we got:
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/oracles/StableOracleDAI.sol#L52
(1815334096585302685954 + 550219077097193 * 1e10)/2
The price is 1 WETH in Dai plus 1 Dai in Weth.
As I understand the denominator is supposed to be (WETH price + WETH price)/2 to get an average WETH price from 2 Oracles, but in this case it will return an incorrect number.
Impact
Retrieving prices for WETH from Oracle doesn't work.
Code Snippet
Tool used
Manual Review
Recommendation
Frankly speaking without normal data from the numerator it's hard to be 100% sure, But regarding the denominator you can change the formula to:
((DAIWethPrice + 1/(uint256(price) * 1e10) )/ 2);
Or check the way you get data from the Oracles to change the formula in an appropriate way.
Duplicate of #102
The text was updated successfully, but these errors were encountered: