DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Inconsistency between docs and code (stale docs)

0xCiphky

Summary

The protocol’s documentation presents an inconsistency with the actual code implementation regarding the updating of the saved oracle price. The documentation specifies that the saved oracle price is updated in situations involving the decreaseCollateral() or createLimitShort() functions if 15 minutes have elapsed past the saved oracle time. However, the code reveals that the decreaseCollateral function employs the getCollateralRatio method, which, in turn, utilizes the getPrice method to retrieve the last saved price, not updating it as suggested by the documentation.

function decreaseCollateral(address asset, uint8 id, uint88 amount)

external

isNotFrozen(asset)

nonReentrant

onlyValidShortRecord(asset, msg.sender, id)

{

...

uint256 cRatio = short.getCollateralRatio(asset);

...

}

function getCollateralRatio(STypes.ShortRecord memory short, address asset)

internal

view

returns (uint256 cRatio)

{

return short.collateral.div(short.ercDebt.mul(LibOracle.getPrice(asset)));

}

//@dev Intentionally using ercAmount for oraclePrice. Storing as price may lead to bugs in the match algos.

function getPrice(address asset) internal view returns (uint80 oraclePrice) {

AppStorage storage s = appStorage();

return uint80(s.bids[asset][Constants.HEAD].ercAmount);

}

Vulnerability Details

This inconsistency has been confirmed by the protocol's developer to be a result of outdated documentation.

Tools Used

Manual analysis

Recommendations

Revise the documentation to accurately reflect the current behavior of the system in relation to the updating of the saved oracle price.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Vague generalities

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.