Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Wrong value calculation will cause unfair liquidation calculation

BAHOZ

Summary

Faulty decimal assumption may cause wrong value calculation which will lead wrong health factor and liquidation of unhealthy positions won't work as expected.

Vulnerability Details

getUsdValue() function in DSCEngine.sol uses ADDITIONAL_FEED_PRECISION = 1e10 for all token pairs, assuming all tokens pairs will have 8 decimals. However, this is not the case given the contracts should work for "any basket of assets".
This may result in some healthy positions being liquidated (if price feed decimals < 8) and some unhealthy positions to look like healthy(if price feed decimals > 8).

An attacker can use such assets to deposit and mint more tokens than they should, causing protocol insolvency.

For example AMPL/USD price feed has 18 decimals and given it is enabled on the protocol an attacker can use $1 AMPL as collateral and mint $10.000.000.000 in stable coins.

https://etherscan.io/address/0xe20CA8D7546932360e37E9D72c1a47334af57706#readContract

Impact

Wrong value calculation may break whole protocol, resulting in protocol insolvency.

Tools Used

Manual review

Recommendations

Store decimals of the price feed for each pair and use that to calculate collateral value.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.