Submission Details
Severity:
`getAccountCollateralValue` should avoid to execute `getUsdValue` when `amount == 0`
Summary
In getAccountCollateralValue the current implementation calls getUsdValue even when the user has provided no collateral for the s_collateralDeposited token.
The getUsdValue will perform a call to the ChainLink oracle and calculate the price conversion, when the result will be anyway 0 because amount is zero.
function getUsdValue(address token, uint256 amount) public view returns (uint256) {
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
(, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
// 1 ETH = $1000
// The returned value from CL will be 1000 * 1e8
return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
}
Vulnerability Details
See Summary
Impact
Gas is wasted when amount is zero
Tools Used
Manual
Recommendations
The client could update the getAccountCollateralValue to skip getUsdValue call if amount == 0
function getAccountCollateralValue(address user) public view returns (uint256 totalCollateralValueInUsd) {
// loop through each collateral token, get the amount they have deposited, and map it to
// the price, to get the USD value
for (uint256 i = 0; i < s_collateralTokens.length; i++) {
address token = s_collateralTokens[i];
uint256 amount = s_collateralDeposited[user][token];
- totalCollateralValueInUsd += getUsdValue(token, amount);
+ if( amount != 0 ) {
+ totalCollateralValueInUsd += getUsdValue(token, amount);
+ }
}
return totalCollateralValueInUsd;
}
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
23664 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.