DittoETH

Possible division by zero when TWAP's price of ETH falls below 1 USD

Github Link

https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibOracle.sol#L85-L89

Vulnerability

The TWAP price fetched is divided by Constants.DECIMAL_USDC = 10**6 before being multiplied by 1 ether in line 85. If the price of ETH falls below $1 USD, twapPriceInEther evaluates to zero. twapPriceInEther is inverted in line 86 causing the transaction to revert
without a descriptive error message because of a division by zero.

Recommendation

Move the check in lines 87-89 before the inversion in line 86.

Get liquidation time functions of assets only returns the whole number portion of liquidation hours.

Github Link

https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibAsset.sol#L19-L27
https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibAsset.sol#L29-L38
https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/libraries/LibAsset.sol#L40C6-L48
https://github.com/Cyfrin/2023-09-ditto/blob/a93b4276420a092913f43169a353a6198d3c21b9/contracts/facets/OwnerFacet.sol#L378-L398

Vulnerability

The comments of all the liquidation time functions and the implementation of the set functions (_setFirstLiquidationTime, _setResetLiquidationTime, and _setSecondLiquidationTime) indicate that the liquidation times of assets can hold hours in decimals. But the functions firstLiquidationTime, secondLiquidationTime, and resetLiquidationTime do not return the decimal part because the division floors the result.

Recommendation

Remove the comment indicating the functions cannot return hours in decimal or update the protocol to allow the function return hours in decimals.