Submission Details
Severity:
Inconsistent usage of `lookback` in `LibUsdOracle.getTokenPrice()`.
Summary
LibUsdOracle.getTokenPrice() uses 0 lookback for WSTETH.
Vulnerability Details
getUsdPrice() uses the same lookback for WETH and WSTETH oracles which looks like an intended behavior.
function getUsdPrice(address token, uint256 lookback) internal view returns (uint256) {
if (token == C.WETH) {
uint256 ethUsdPrice = LibEthUsdOracle.getEthUsdPrice(lookback);
if (ethUsdPrice == 0) return 0;
return uint256(1e24).div(ethUsdPrice);
}
if (token == C.WSTETH) {
uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(lookback);
if (wstethUsdPrice == 0) return 0;
return uint256(1e24).div(wstethUsdPrice);
}
revert("Oracle: Token not supported.");
}
function getTokenPrice(address token, uint256 lookback) internal view returns (uint256) {
if (token == C.WETH) {
uint256 ethUsdPrice = LibEthUsdOracle.getEthUsdPrice(lookback);
if (ethUsdPrice == 0) return 0;
return ethUsdPrice;
}
if (token == C.WSTETH) {
uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(0); //@audit inconsistent
if (wstethUsdPrice == 0) return 0;
return wstethUsdPrice;
}
revert("Oracle: Token not supported.");
}
But getTokenPrice() uses 0 for WSTETH oracle and it might return a wrong price.
Impact
getTokenPrice() might return a wrong price for WSTETH as it uses 0 lookback.
Tools Used
Manual Review
Recommendations
Recommend using normal lookback for WSTETH oracle.
Updates
Lead Judging Commences
giovannidisiena
over 1 year ago
giovannidisiena over 1 year ago
Submission Judgement Published Assigned finding tags:
Unused lookback parameter
Prize pool breakdown
Total prize
35,000 USDC
nSLOC
1,99118 USDC / LOC
30,000 USDC
1,500 USDC
3,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.