QuantAMM
QuantAMM
49,600 OP
View results
Previous Next
Submission Details
Severity: low
Valid

Possible overflow when oracle prices are too small

dharkartz

Summary

The _getData function in the MultiHopOracle contract contains critical vulnerabilities that can lead to arithmetic overflow when processing extreme oracle data values. These vulnerabilities arise from the lack of safeguards against large intermediate results during multiplication and inversion operations. Specifically, the use of excessively large scaling factors, such as 10**36 and 10**18, combined with potentially small or large oracle data values, creates scenarios where intermediate calculations exceed the range of int216.

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L31

Vulnerability Details

1. Overflow in the First Oracle Inversion

The first oracle's result is inverted using:

data = 10 ** 36 / data;

Example:

  • Oracle A data: 10**-30 (price of Token A / Token B).

  • Calculation:

    data = 10**36 / 10**-30 = 10**36 * 10**30 = 10**66

  • Issue:
    10**66 exceeds the maximum range of int216, which is approximately 10**64. This results in an overflow error, halting the execution of the function.

2. Overflow During Multiplication in Subsequent Oracles

The subsequent oracle calculations multiply data by the next oracle's result before dividing by the precision factor 10**18:

if (oracleConfig.invert) {
data = (data * 10 ** 18) / oracleRes;
} else {
data = (data * oracleRes) / 10 ** 18;
}

Example:

  • Initial data: 10**60 (already close to int216 limits).

  • Oracle B data: 10**10 (price of Token B / Token C).

  • Calculation:

    data = (10**60 * 10**18) / 10**10 = 10**78 / 10**10 = 10**68

  • Issue:
    The intermediate result 10**78 exceeds the int216 range, causing an overflow before the division can occur.

Root Cause

  • Excessive Scaling Factors: Using 10**36 for inversion and 10**18 for precision unnecessarily inflates intermediate values.

  • No Range Checks: The function does not verify that intermediate calculations remain within the bounds of int216.

Impact

  • Denial of Service: Overflow causes the contract to revert, preventing critical price data from being retrieved.

  • Data Integrity Risks: Even if not exploited maliciously, genuine oracle data could cause failures, impacting dependent systems.

Tools Used

Manual Code Review
Test simulation with real life figures

Recommendation

  1. Replace 10**36 with smaller scaling factors or use fixed-point arithmetic libraries:

data = (10 ** 18 * 10 ** 18) / data; // Scaled inversion

  1. Add checks to ensure intermediate values remain within safe bounds:

require(data <= type(int216).max / 10**18, "Overflow risk on multiplication");

By implementing these recommendations, the MultiHopOracle contract can handle extreme oracle values more robustly, ensuring reliable and secure price data computation.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_MultiHopOracle_getData_invert_precision_loss_low_decimals

Likelihood: Informational/Very Low, admin should use a price feed with 18 decimals and this feed should compare a assets with a very small value and an asset with a biggest amount to have the smallest price possible. Admin wouldn't do that intentionally, but one token could collapse, and with multiple hop, it increases a bit the probability. Impact: High, complete loss of precision. Probability near 0 but not 0: deserve a Low

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!