0xlmanini - Incorrect decimals assumption

[sherlock-admin]

0xlmanini

high

Incorrect decimals assumption

Summary

StableOracleDAI.sol assumes the price reported by Chainlink is in 8 dp while it's really 18.

Vulnerability Detail

priceFeedDAIETH is set to the address 0x773616E4d11A78F511299002da57A0a94577F1f4 which matches this Chainlink price feed.
As can be seen in the price feed's etherscan page, the price reported is in 18 decimal precision like every Chainlink feed price against ETH.
When calculating the value to be returned, the oracle takes the mean of the price returned by Uniswap's TWAP oracle and that returned by Chainlink. In doing this, it assumes that the Chainlink price is expressed in 8 decimals and thus multiplies it by 1e10.

Impact

Users of this oracle expect the returned value to be in 18 dp, while actually it's in 9 dp. The returned value's decimal precision check evaluates to:
1e18 * 1e18 / ((1e18 + 1e18 * 1e10) / 2) ~= 1e36 / (1e28 / 2) = 1e36 / 1e27 = 1e9

As a consequence, USSD.sol#calculateMint() will return a much smaller amount of USSD to be minted in exchange for DAI.

Code Snippet

StableOracleDAI.sol#getPriceUSD()

Tool used

Manual Review

Recommendation

Change the return value expression:

- return (wethPriceUSD * 1e18) / ((DAIWethPrice + uint256(price) * 1e10) / 2);
+ return (wethPriceUSD * 1e18) / ((DAIWethPrice + uint256(price)/ 2);

Duplicate of #236