Algo Ssstablecoinsss
First Flight #30
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

In the function _get_token_amount_from_usd there is only PRECISION for WETH not also for WBTC.

eth0x

Summary

The _get_token_amount_from_usd function is designed to convert a specified USD amount into the corresponding amount of a given token, using the latest price data from an oracle. There is PRECISIONconstant value only for WETH but not for WBTC.

Vulnerability Details

In code there is not implementation for PRECISONfor the WBTC.

return (
//@audit usd_amount_in_wei what with BTC satoshi here is deferent PRECISION BTC has satoshi 10^8.
(usd_amount_in_wei * PRECISION) // (
convert(price, uint256) * ADDITIONAL_FEED_PRECISION
)

Is only value for WETH = 10^18 but not for WBTC = 10^8.

Impact

For WBTC tokens, the amount will be incorrectly inflated by 101010^{10} times the actual value. The protocol will be compromised, creating the potential for funds to be drained.

Tools Used

manual review

Recommendations

Please add PRECISIONvalue also for WBTC.

@internal
@view
def _get_token_amount_from_usd(
token: address, usd_amount_in_wei: uint256
) -> uint256:
price_feed: AggregatorV3Interface = AggregatorV3Interface(
self.token_address_to_price_feed[token]
)
round_id: uint80 = 0
price: int256 = 0
started_at: uint256 = 0
updated_at: uint256 = 0
answered_in_round: uint80 = 0
(
round_id, price, started_at, updated_at, answered_in_round
) = oracle_lib._stale_check_latest_round_data(price_feed.address)
precision: uint256 = 10**18 # Default precision for ETH
if token == WBTC_ADDRESS:
precision = 10**8 # Adjust precision for WBTC
return (
(usd_amount_in_wei * precision) // (
convert(price, uint256) * ADDITIONAL_FEED_PRECISION
)
)
Updates

Lead Judging Commences

bube Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.