15,000 USDC
View results
Submission Details
Severity: medium
Valid

Do not hardcode the feed precision, and rather pick the decimal from the Oracle. This can lead to wrong calculation of funds leading to losses

Summary

Do not hardcode the feed precision, and rather pick the decimal from the Oracle. This can lead to wrong calculation of funds leading to losses

Vulnerability Details

In the getUsdValue() method, its assumed that the precision from the feed is always 8 decimals,
and so its multiplied by the constant ADDITIONAL_FEED_PRECISION which has a value of 1e10,
which updates the precision to 18 decimals.

As any arbitrary token addresses can be added to the contract, addition of eth pairs come with a
precision of 18 decimals already, and if such a collateral token gets added to the contract
(either by mistake or maliciously), then the USD Value will be amplified by 1e10.

361: function getUsdValue(address token, uint256 amount) public view returns (uint256) {
AggregatorV3Interface priceFeed = AggregatorV3Interface(s_priceFeeds[token]);
(, int256 price,,,) = priceFeed.staleCheckLatestRoundData();
// 1 ETH = $1000
// The returned value from CL will be 1000 * 1e8
return ((uint256(price) * ADDITIONAL_FEED_PRECISION) * amount) / PRECISION;
}

Link to code - https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L361

Reference to StackOverflow answer by Patrick Collins! https://ethereum.stackexchange.com/a/92513

Severity Justification

Marking this as High as both the following High criteria satisfy:

  • Funds are directly or nearly directly at risk

Source: https://docs.codehawks.com/rewards-and-judging

Tools Used

Manual inspection

Recommendations

Use Chainlink's decimals() API to check for the decimals and calculate any additional feed precision as needed (https://docs.chain.link/data-feeds/api-reference#decimals)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.