Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Chainlink does not always return 8 decimals

ni8mare

Summary

The project assumes that Chainlink price feed always returns 8 decimals, which might not always be true. Due to this assumption wrong collateral value will be taken into account.

Vulnerability Details

In some cases like AMPL/USD, the returned decimals of tokens are 18 and not 8. The ADDITIONAL_FEED_PRECISION variable is set equal to 1e10, assuming that Chainlink returns a price feed with 8 decimals. But, this can result in extremely wrong accounting in the following calculation in getUsdValue:

(uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;

If the price is in 8 decimals, then it's fine. But, if it is in 18 decimals, then multiplying it ADDITIONAL_FEED_PRECISION results in a number of the range 1e28. The division with PRECISION, would mean that the end result has 10 more decimals than intended.

Impact

Wrong accounting. Users can take collateral by providing a very low amount of collateral tokens.

Tools Used

Manual review

Recommendations

Consider the number of decimals that are being returned by the Chainlink price feed, and then accordingly update the calculation.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.