QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Zero price Oracle data not handled, leading to potential division by zero

akay

Summary

The MultiHopOracle contract fails to validate if oracle price data is zero before performing division operations, which could lead to the transaction reverting due to division by zero errors when oracles return zero prices.

Vulnerability Details

In the _getData() function, there are multiple instances where division operations are performed without checking if the divisor is zero.

One of them is when inverting the first oracle's price:

if (firstOracle.invert) {

data = 10 ** 36 / data; // Line 32

}

Another instance is when processing subsequent oracles:

if (oracleConfig.invert) {

data = (data * 10 ** 18) / oracleRes; // Line 46

} else {

data = (data * oracleRes) / 10 ** 18; // Line 48

}

If any oracle returns a zero price, these division operations will cause the transaction to revert with a division by zero error.

Impact

Can cause complete function failure when zero prices are encountered and could also affect critical price-dependent operations.

Tools Used

Manual code review

Recommendations

Add explicit zero-value checks with clear error messages:

function _getData() internal view override returns (int216 data, uint40 timestamp) {

HopConfig memory firstOracle = oracles[0];

(data, timestamp) = firstOracle.oracle.getData();

require(data != 0, "MultiHopOracle: zero price from oracle");

if (firstOracle.invert) {

data = 10 ** 36 / data;

}

uint256 oracleLength = oracles.length;

for (uint i = 1; i < oracleLength; ) {

HopConfig memory oracleConfig = oracles[i];

(int216 oracleRes, uint40 oracleTimestamp) = oracleConfig.oracle.getData();

require(oracleRes != 0, "MultiHopOracle: zero price from oracle");

// ... rest of the function

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

invalid_getData_negative_or_zero_price

Multihop will call ChainlinkOracle and the check is in it: `require(data > 0, "INVLDDATA");` MultiHop is just here to combine Chainlinks feed when there is no direct USD price feed for a token.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!