DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Decimal price discrepancies in Chainlink oracles pose a potential risk for users

PTolev

Summary

Chainlink oracles can return prices with different decimal places, potentially resulting in incorrect price calculations.

Vulnerability Detail

In LibOracle.getOraclePrice, if the asset for which the price is being retrieved uses a different decimal place than the base oracle, the price will be calculated based on the base oracle's price and the asset's oracle price. The calculation is straightforward: oracle's price / base oracle's price. However, there is a possibility that both oracles have different decimal places, which could lead to incorrect price calculations.

Impact

Incorrect price calculations can result in financial losses for users.

Tool Used

Manual Review

Recommendation

To mitigate this issue, use AggregatorV3Interface.decimals() to ensure that both oracles have the same number of decimal places. This will help ensure accurate price calculations.

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Known issues

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.