15,000 USDC
View results
Submission Details
Severity: medium
Valid

Assumptions on chainlink USD oracles decimals being 8

Summary

The contract assumes that the price oracle always returns 8 decimals. For most cases this is ok in USD oracles but it is not always true. For example, the AMPL/USD feed has 18 decimals.

Since this system is meant to be generic and used with any basket of assets I consider checks on the decimals of the oracle to be necessary. Also the assumption that in the future new USD oracles will always have 8 decimals can become problematic.

Vulnerability Details

When calculating USD value of collateral tokens it is assumed that the price has 8 decimals but it's never checked using ChainLink's .decimals() function. For more details see DSCEngine.getUsdValue() and DSCEngine.getTokenAmountFromUsd() use of ADDITIONAL_FEED_PRECISION (constant set to 10) for multiplication.

Impact

A deployer of the DecentralizedStableCoin engine might deploy the system with a USD price feed that returns prices with more than 8 decimals leading to inflated valuation for the collateral.

Tools Used

manual review

Recommendations

Consider checking the priceFeed.decimals() in the constructor and storing the additional feed precision for each collateral token, or each time that the usd value of the collateral is requested. The price should then be multiplied by the correct value to scale up to 18 decimals.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.