Foundry DeFi Stablecoin CodeHawks Audit Contest
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

High - Underflow in pricefeed can lead to near infinite minting of DSC

TeamFliBit

Summary

Casting the price received from the Chainlink oracle from int256 to uint256 will lead to an underflow and near-infinite minting of DSC when the input is smaller than 0.

Vulnerability Details

In getUsdValue() the asset's price in USD returned by the oracle is cast to uint256 from int256. This can lead to an underflow where the price returned is near type(uint256).max.

A negative price from a Chainlink oracle is possible, for example in the case of oil futures as stated by Patrick Collins in this StackOverflow question.

Since the audit readme clearly states that the protocol code should work the same regardless of the asset basket, it should account for edge cases such as these.

Impact

With a price of token x at type(uint256).max, it is possible to mint infinite DSC which could be used to exchange for other assets on exchange platforms, causing the stablecoin to lose its peg to USD and ultimately become worthless.

Tools Used

Manual review

Recommendations

Add a check that reverts if the price from the oracle is negative.

function getUsdValue(address token, uint256 amount) public view returns (uint256) {
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
(, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
+ if(price < 0){revert("Underflow")}
// 1 ETH = $1000
// The returned value from CL will be 1000 * 1e8
return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.