Do not hardcode the feed precision, and rather pick the decimal from the Oracle. This can lead to wrong calculation of funds leading to losses
In the getUsdValue()
method, its assumed that the precision from the feed is always 8 decimals,
and so its multiplied by the constant ADDITIONAL_FEED_PRECISION
which has a value of 1e10
,
which updates the precision to 18
decimals.
As any arbitrary token addresses can be added to the contract, addition of eth pairs come with a
precision of 18 decimals already, and if such a collateral token gets added to the contract
(either by mistake or maliciously), then the USD Value will be amplified by 1e10
.
Link to code - https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L361
Reference to StackOverflow answer by Patrick Collins! https://ethereum.stackexchange.com/a/92513
Marking this as High as both the following High criteria satisfy:
Funds are directly or nearly directly at risk
Source: https://docs.codehawks.com/rewards-and-judging
Manual inspection
Use Chainlink's decimals()
API to check for the decimals and calculate any additional feed precision as needed (https://docs.chain.link/data-feeds/api-reference#decimals)
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.