ChainLinkOracle.sol Constructor Assumes Chainlink Price Feed Decimals Are Always ≤18
Summary
The ChainlinkOracle constructor incorrectly assumes that all Chainlink price feeds return decimals ≤ 18. This assumption can lead to underflow errors and miscalculations when Chainlink introduces price feeds with decimals greater than 18.
Vulnerability Details
Issue
The contract's constructor includes the following code:
The normalizationFactor calculation assumes that priceFeed.decimals() will always return a value ≤ 18. However, this is not guaranteed by the Chainlink protocol. Future price feeds might use decimals > 18, resulting in:
Underflow errors when calculating
normalizationFactor.Incorrect normalized prices, causing significant financial discrepancies.
Proof of Concept
Consider a hypothetical price feed with
decimals() = 20.The constructor calculates
normalizationFactor = 18 - 20 = -2.
Impact
If the token decimals is greater than 18 it would cause an overflow/underflow error
Tools Used
Manual review
Recommendations
Validate Decimal Values: Add a require statement to ensure priceFeed.decimals() does not exceed 18:
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.