Lack of Decimal Normalization Between Oracle Hops May Lead to Incorrect Price Calculation
Summary
The code assumes each oracle’s getData() returns a value scaled to 18 decimals (e.g., 1 token unit = 10^18). However, if an upstream oracle returns data with more or fewer decimals—like 10^8 or 10^6—the final multiplication or division would be incorrect, resulting in an inconsistent or erroneous final price.
Vulnerability Details
Impact
Incorrect Price Feeds: In an environment where not all oracles use the same decimal precision, the final multi-hop result can be distorted.
Potential Exploits or Mispricing: If dependent contracts or users rely on this multi-hop oracle for real-time price data, they could make decisions (trades, positions, etc.) based on inaccurate values.
Tools Used
Manual audit
Recommendations
-
Store Each Oracle’s Decimals: For each HopConfig, include the decimals or a way to retrieve them (e.g., via an interface method if available).
-
Normalize Values: Before multiplying or dividing, convert the oracle output to a consistent 18-decimal scale. For example:
// Pseudocode int216 scaledOracleRes = scaleTo18Decimals(oracleRes, oracleConfig.oracleDecimals); -
Document Assumptions: If you guarantee all oracles share the same 18-decimal standard, document it clearly. Otherwise, handle varying decimals safely.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.