DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Price from Chainlink Oracle not adjsusted for USDC decimals

aballok

Summary

LibOracle base price in ETH obtained from Chainlink feed does not account for USDC having 6 decimals

Vulnerability Details

For the TWAP we see that it rightly adjusts for USDC having 6 decimals

uint256 twapPriceInEther = (twapPrice / Constants.DECIMAL_USDC) * 1 ether;

However, when the price is obtained for Chainlink no such adjustments are made to account for 6 decimals USDC; only update done is to account for price feed 8 decimals using int256 internal constant BASE_ORACLE_DECIMALS = 10 ** 10;

It is also common for this adjustment to be done in function function estimateWETHInUSDC() However looking into the function shows no such adjustments
TWAPFacet.sol

function estimateWETHInUSDC(uint128 amountIn, uint32 secondsAgo)

external

view

returns (uint256 amountOut)

{

if (secondsAgo <= 0) {

revert Errors.InvalidTWAPSecondsAgo();

}

uint32[] memory secondsAgos = new uint32[](2);

secondsAgos[0] = secondsAgo;

secondsAgos[1] = 0;

//@dev Returns the cumulative tick and liquidity as of each timestamp secondsAgo from the current block timestamp

(int56[] memory tickCumulatives,) =

IUniswapV3Pool(Constants.USDC_WETH).observe(secondsAgos);

int56 tickCumulativesDelta = tickCumulatives[1] - tickCumulatives[0];

int24 tick = int24(tickCumulativesDelta / int32(secondsAgo));

// Always round to negative infinity

if (tickCumulativesDelta < 0 && (tickCumulativesDelta % int32(secondsAgo) != 0)) {

tick--;

}

//@dev Gets price using this formula: p(i) = 1.0001**i, where i is the tick

amountOut =

OracleLibrary.getQuoteAtTick(tick, amountIn, Constants.WETH, Constants.USDC);

}

Impact

This results in incorrect ETH_USD prices which result in errors in the accounting of the protocol, can lead to inappropriate collateral ratios, unfair and wrong margin calls etc

Tools Used

Manual Analysis

Recommendations

Adjust price appropriately by applying a factor related to USDC == uint256 internal constant DECIMAL_USDC = 10 ** 6;

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.