QuantAMM

49,600 OP

View results

Previous Next

Submission Details

Severity: low

Invalid

Oracle price calculation overflow risk in MultiHopOracle contract

udo

Summary

The _getData function in the MultiHopOracle contract has serious flaws that might cause arithmetic overflow when processing extreme Oracle data values. These vulnerabilities stem from a lack of safeguards against large intermediate results during multiplication and inversion operations. Specifically, the usage of excessively large scaling factors, such as 10**36 and 10**18, paired with either small or huge oracle data values, introduces instances where intermediate calculations surpass the range of int216.\

code snippet:

https://github.com/Cyfrin/2024-12-quantamm/blob/a775db4273eb36e7b4536c5b60207c9f17541b92/pkg/pool-quantamm/contracts/MultiHopOracle.sol#L31

Vulnerability Details

1. Overflow in the First Oracle Inversion

The first oracle's result is inverted using:
solidity
data = 10 ** 36 / data;

Example:

Oracle A data: 10**-30 (price of Token A / Token B).
Calculation:

data = 1036 / 10-30 = 1036 * 1030 = 10**66
Issue:
1066 exceeds the maximum range of int216, which is approximately 1064. This results in an overflow error, halting the execution of the function.

2. Overflow During Multiplication in Subsequent Oracles

The subsequent oracle calculations multiply data by the next oracle's result before dividing by the precision factor 10**18:\

if (oracleConfig.invert) {

data = (data * 10 ** 18) oracleRes;

} else {

data = (data * oracleRes) / 10 ** 18;

}

Example:

Initial data: 10**60 (already close to int216 limits).
Oracle B data: 10**10 (price of Token B / Token C).
Calculation:

data = (1060 * 1018) / 1010 = 1078 / 1010 = 1068
Issue:
The intermediate result 10**78 exceeds the int216 range, causing an overflow before the division can occur.

Root Cause

Excessive Scaling Factors: Using 1036 for inversion and 1018 for precision unnecessarily inflates intermediate values.
No Range Checks: The function does not verify that intermediate calculations remain within the bounds of int216.

Impact

Denial of Service: Overflow causes the contract to revert, preventing critical price data from being retrieved.
Data Integrity Risks: Even if not exploited maliciously, genuine oracle data could cause failures, impacting dependent systems.

Tools Used

Manual Code Review
Test simulation with real life figures

Recommendation

Replace 10**36 with smaller scaling factors or use fixed-point arithmetic libraries:\

data = (10 ** 18 * 10 ** 18) / data; // Scaled inversion
Add checks to ensure intermediate values remain within safe bounds:\

require(data <= type(int216).max / 10**18, "Overflow risk on multiplication");

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Prize pool breakdown

Total prize

49,600 OP

nSLOC

3,000

17 OP / LOC

High Medium

44,640

Low

4,960

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.