Submission Details
Severity:
`getTokenAmountFromUsd` will return wrong value if the oracle prices are negative
Summary
In the unlikely event that the price of an asset goes negative, the getTokenAmountFromUsd function will convert the int256 result to uint256 and return the invalid result, leading to a loss of funds.
Vulnerability Details
The Chainlink Data Feeds use int instead of uint because some prices can be negative, like when oil futures dropped below 0. Source
The usage of off-chain oracle prices in DSCEngine.sol:
function getTokenAmountFromUsd(address token, uint256 usdAmountInWei) public view returns (uint256) {
// price of ETH (token)
// $/ETH ETH ??
// $2000 / ETH. $1000 = 0.5 ETH
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
@> (, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
// ($10e18 * 1e18) / ($2000e8 * 1e10)
@> return (usdAmountInWei * PRECISION) / (uint256(price) * ADDITIONAL_FEED_PRECISION);
}
function getUsdValue(address token, uint256 amount) public view returns (uint256) {
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
@> (, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
// 1 ETH = $1000
// The returned value from CL will be 1000 * 1e8
@> return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
}
Impact
Positions won't be liquidatable, and DSC system will become insolvent.
Tools Used
Manual review
Recommendations
Provide a mechanism for positions to be liquidated even if the price becomes negative.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
23664 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.