DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: medium
Invalid

Protocol doesn't support tokens which have Price Feed against ETH, and don't have against USD

Summary

There are tokens on Chainlink Price Feed which have pair against ETH and don't have against USD. Current implementation doesn't allow to use them as asset.

Such tokens are ALCX , ALPHA, ANT, ATOM, AXS, BAT etc.

Vulnerability Details

LibOracle.getOraclePrice() returns the price of asset in terms of ETH. It consists of 2 steps: 1) fetch base price USD/ETH, 2) fetch price of asset against USD.

function getOraclePrice(address asset) internal view returns (uint256) {
AppStorage storage s = appStorage();
AggregatorV3Interface baseOracle = AggregatorV3Interface(s.baseOracle);
uint256 protocolPrice = getPrice(asset);
// prettier-ignore
(
uint80 baseRoundID,
int256 basePrice,
/*uint256 baseStartedAt*/
,
uint256 baseTimeStamp,
/*uint80 baseAnsweredInRound*/
) = baseOracle.latestRoundData();
AggregatorV3Interface oracle = AggregatorV3Interface(s.asset[asset].oracle);
if (address(oracle) == address(0)) revert Errors.InvalidAsset();
if (oracle == baseOracle) {
...
} else {
// prettier-ignore
(
uint80 roundID,
// X / USD
int256 price,
/*uint256 startedAt*/
,
uint256 timeStamp,
/*uint80 answeredInRound*/
) = oracle.latestRoundData();
@> //@audit Here price is normalized from USD to ETH
@> uint256 priceInEth = uint256(price).div(uint256(basePrice));
oracleCircuitBreaker(
roundID, baseRoundID, price, basePrice, timeStamp, baseTimeStamp
);
return priceInEth;
}
}

However some tokens don't have pair against USD, instead they have pair against ETH directly. As a result, protocol can't support them

Impact

Such tokens can't be used as asset in protocol, because price can't be fetched from Chainlink

Tools Used

Manual Review

Recommendations

Refactor model of price fetching, i.e. don't use base oracle price if asset already has pair against ETH in Chainlink

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: User experience and design improvement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.