15,000 USDC
View results
Submission Details
Severity: medium
Valid

Chainlink `priceFeed` doesn't always return 8 decimals

Summary

DSCEngine assumes that the Chainlink priceFeed always returns 8 decimals, which isn't always true.

Vulnerability Details

All DSCEngine calculations are based on a Chainlink priceFeed returning an 8 decimals result, which isn't true for some pair as AMPL/USD for example.
Therefore getTokenAmountFromUsd(), getAccountCollateralValue(), and getUsdValue() won't return the correct answer when the pair token used isn't returning an 8 decimals result from the Chainlink pricefeed.

This project is meant to be a stablecoin where users can deposit WETH and WBTC in exchange for a token that will be pegged > to the USD. The system is meant to be such that someone could fork this codebase, swap out WETH & WBTC for any basket of > assets they like, and the code would work the same.

A pair like AMPL/USD will return an 18 decimals which will inflate the user account compared to the "real value" of what he deposited.

Impact

The user's account balance is inflated and the user can borrow and withdraw more than the "real" value of the deposited collateral.

Tools Used

Manual review

Recommendations

Consider adding a check for AggregatorV3Interface.decimals() to make sure priceFeed's decimals = 8.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.