The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`LiquidationPool::distributeAssets()` assumes same decimals on all Chainlink price feeds

NentoR

Summary

LiquidationPool::distributeAssets() incorrectly assumes prices returned from Chainlink oracles all come in 8 decimal format. This is inaccurate, as the decimal count may vary across different feeds.

Vulnerability Details

The following calculations from LiquidationPool::distributeAssets() are affected by this:

L207:

(,int256 priceEurUsd,,,) = Chainlink.AggregatorV3Interface(eurUsd).latestRoundData();

L218-L221:

(,int256 assetPriceUsd,,,) = Chainlink.AggregatorV3Interface(asset.token.clAddr).latestRoundData();
uint256 _portion = asset.amount * _positionStake / stakeTotal;
uint256 costInEuros = _portion * 10 ** (18 - asset.token.dec) * uint256(assetPriceUsd) / uint256(priceEurUsd)
* _hundredPC / _collateralRate;

The calculation for costInEuros incorrectly scales the cost because it assumes the prices from oracles are returned with 8 decimals.

Impact

  • Wrongly updated EUROs positions of all stakers

  • Wrong amount of EUROs being burned from the contract

  • Wrong reward distribution

Tools Used

Manual Analysis

Recommendations

Apply a decimal correction for all prices consumed from oracles. While all of the feeds specified in the docs use 8 decimals, I wouldn't recommend hard-coding the count to 8. Instead, you should use Chainlink.AggregatorV3Interface.decimals() and apply the correction for each individual price feed.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

chainlink-decimals

informational/invalid

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

chainlink-decimals

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.