Chainlink Oracles store answers with as int256
, allowing for negative values. In the DSCEngine, however, answer
is explicitly cast to uint256
and is then used to calculate the value of collateral. For example in getUsdValue()
:
Explicit casts in Solidity are unsafe by design and this one in particular will underflow:
uint256(int256(-1))
will evaluate to 2^256 - 1
uint256(int256(-10e8))
will evaluate to 2^256 - 10e8
Therefore negative prices will be treated as exceedingly large prices (77 OOM), allowing for an essentially unlimited minting power.
Medium.
Severity is critical, but the likelihood is very low.
Manual Review.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.