Chainlink `priceFeed` doesn't always return 8 decimals
Summary
DSCEngine assumes that the Chainlink priceFeed always returns 8 decimals, which isn't always true.
Vulnerability Details
All DSCEngine calculations are based on a Chainlink priceFeed returning an 8 decimals result, which isn't true for some pair as AMPL/USD for example.
Therefore getTokenAmountFromUsd(), getAccountCollateralValue(), and getUsdValue() won't return the correct answer when the pair token used isn't returning an 8 decimals result from the Chainlink pricefeed.
This project is meant to be a stablecoin where users can deposit WETH and WBTC in exchange for a token that will be pegged > to the USD. The system is meant to be such that someone could fork this codebase, swap out WETH & WBTC for any basket of > assets they like, and the code would work the same.
A pair like AMPL/USD will return an 18 decimals which will inflate the user account compared to the "real value" of what he deposited.
Impact
The user's account balance is inflated and the user can borrow and withdraw more than the "real" value of the deposited collateral.
Tools Used
Manual review
Recommendations
Consider adding a check for AggregatorV3Interface.decimals() to make sure priceFeed's decimals = 8.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.