Do not hardcode the feed precision, and rather pick the decimal from the Oracle. This can lead to wrong calculation of funds leading to losses
Summary
Do not hardcode the feed precision, and rather pick the decimal from the Oracle. This can lead to wrong calculation of funds leading to losses
Vulnerability Details
In the getUsdValue() method, its assumed that the precision from the feed is always 8 decimals,
and so its multiplied by the constant ADDITIONAL_FEED_PRECISION which has a value of 1e10,
which updates the precision to 18 decimals.
As any arbitrary token addresses can be added to the contract, addition of eth pairs come with a
precision of 18 decimals already, and if such a collateral token gets added to the contract
(either by mistake or maliciously), then the USD Value will be amplified by 1e10.
Link to code - https://github.com/Cyfrin/2023-07-foundry-defi-stablecoin/blob/main/src/DSCEngine.sol#L361
Reference to StackOverflow answer by Patrick Collins! https://ethereum.stackexchange.com/a/92513
Severity Justification
Marking this as High as both the following High criteria satisfy:
Funds are directly or nearly directly at risk
Source: https://docs.codehawks.com/rewards-and-judging
Tools Used
Manual inspection
Recommendations
Use Chainlink's decimals() API to check for the decimals and calculate any additional feed precision as needed (https://docs.chain.link/data-feeds/api-reference#decimals)
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.