Chainlink oracle response decimals are ignored
Summary
LiquidationPool::distributeAssets doesn't scale chainlink response, which will lead to significant euro losses for stakers
Vulnerability Details
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L218
When assetPriceUsd is requested it can return different values depending on oracle's decimals. If an asset cost 1 usd oracle feed with 8 decimals will return 1e8, oracle feed with 18 decimals will return 1e18.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPool.sol#L220-L221
When costInEuros is calculated it will correctly remove decimals for feeds with 8 decimals because priceEurUsd has 8 decimals itself. But for feeds with 18 decimals it will be 1e18-1e8=1e10 times larger. It means that for every 1 euro of collateral the contract will burn up to 1e10 staked euros.
On the contrary when oracle has <8 decimals stackers will get much more assets than euros burned.
Impact
Staked euros are excessively burn if oracle has >8 decimals
Tools Used
Manual review
Recommended Mitigation Steps
Consider dividing/multiplying returned value to properly scale it
Lead Judging Commences
chainlink-decimals
informational/invalid
chainlink-decimals
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.